Bug 579311 - Support safe SSL renegotiation (RFC 5746) and related options (in Apache 2.2.15)
Summary: Support safe SSL renegotiation (RFC 5746) and related options (in Apache 2.2.15)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: httpd
Version: 12
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 588181
Blocks: 580997
TreeView+ depends on / blocked
 
Reported: 2010-04-04 03:33 UTC by Matt McCutchen
Modified: 2010-05-31 18:25 UTC (History)
5 users (show)

Fixed In Version: httpd-2.2.15-1.fc12.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 580997 (view as bug list)
Environment:
Last Closed: 2010-05-31 18:25:21 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Matt McCutchen 2010-04-04 03:33:36 UTC
Description of problem:
The current mod_ssl does not support safe renegotiation (RFC 5746).  Even if the server is not vulnerable to CVE-2009-3555 because it never performs server-initiated renegotiation, the client has no way to know that and may warn the user.  Support has been added in Apache 2.2.15.  Please update or patch Apache in Fedora.

Version-Release number of selected component (if applicable):
mod_ssl-2.2.14-1.fc12.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Set up Apache for https://localhost/, if not already done.
2. In Firefox, set the preference "security.ssl.treat_unsafe_negotiation_as_broken" to true.  (This will become the default soon: see https://bugzilla.mozilla.org/show_bug.cgi?id=535649 .)
3. Go to https://localhost/ and add a certificate override.

Actual results:
The server does not get the blue SSL badge because it does not support safe renegotiation.

Expected results:
The server gets the blue SSL badge.

Comment 1 Fedora Update System 2010-04-04 17:20:56 UTC
httpd-2.2.15-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13

Comment 2 Fedora Update System 2010-04-04 17:22:04 UTC
httpd-2.2.15-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12

Comment 3 Fedora Update System 2010-04-04 17:25:14 UTC
httpd-2.2.15-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11

Comment 4 Tomas Hoger 2010-04-05 18:46:26 UTC
(In reply to comment #0)
> Support has been added in Apache 2.2.15.  Please update or patch Apache in
> Fedora.

That is incorrect.  httpd 2.2.15 does not add support for RFC 5746, you need updated openssl for that.  mod_ssl in 2.2.15 does two things:

- refuses client-initiated renegotiation (does not require new openssl)

- adds SSLInsecureRenegotiation directive (this requires new openssl at build time to actually work, though looking at the build logs, old openssl was used on F11, 1.0.0-beta4 on F12 should be missing some bits too)

Comment 5 Tomas Hoger 2010-04-06 06:53:47 UTC
To reply a question from bodhi:

- first upstream openssl release with RFC 5746 support is 0.9.8m
  http://marc.info/?l=openssl-dev&m=126712103527093&w=2

  there are already updated 0.9.8n packages in F11 testing

- for F12+ / openssl-1.0.0, 1.0.0-beta5 should have all httpd needs, so for F12,
  it needs openssl 1.0.0-1 or newer

Comment 6 Matt McCutchen 2010-04-06 07:24:18 UTC
(In reply to comment #5)
> - for F12+ / openssl-1.0.0, 1.0.0-beta5 should have all httpd needs, so for
> F12,
>   it needs openssl 1.0.0-1 or newer    

Unfortunately, openssl-1.0.0-1.fc12 is considered broken due to a multilib conflict (bug 579004), though that might not actually interfere with building against it.

Comment 7 Tomas Hoger 2010-04-06 07:44:32 UTC
Though httpd build against it will have to wait for it to enter stable / testing.

There are two options:
- leave httpd 2.2.15 built against old openssl for now, SSLInsecureRenegotiation won't work (but based on comment #0, you don't really care)
- wait for openssl updates

In either case, openssl update is needed to actually get RFC support.

Comment 8 Matt McCutchen 2010-04-06 08:08:38 UTC
Understood.  I would be inclined to wait for the openssl update.  I don't see much point in marking this bug fixed while leaving SSLInsecureRenegotiation broken; instead, I'll broaden this bug.

Comment 9 Robert Scheck 2010-04-06 13:46:34 UTC
Buildroot override requested: https://fedorahosted.org/rel-eng/ticket/3584

Comment 10 Fedora Update System 2010-04-06 19:57:02 UTC
httpd-2.2.15-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update httpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13

Comment 11 Fedora Update System 2010-04-07 01:33:52 UTC
httpd-2.2.15-1.fc12.1 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12.1

Comment 12 Fedora Update System 2010-04-07 01:36:20 UTC
httpd-2.2.15-1.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11.1

Comment 13 Fedora Update System 2010-04-09 01:33:23 UTC
httpd-2.2.15-1.fc12.1 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update httpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12.1

Comment 14 Fedora Update System 2010-04-09 01:45:58 UTC
httpd-2.2.15-1.fc11.1 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update httpd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11.1

Comment 15 Fedora Update System 2010-04-22 22:51:03 UTC
httpd-2.2.15-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2010-05-04 06:06:19 UTC
httpd-2.2.15-1.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Matt McCutchen 2010-05-18 06:53:53 UTC
This is not fixed in F12 until an installable httpd update is pushed, which requires that an installable openssl update be pushed (bug 588181).  (I should have reopened this a long time ago.)

Comment 18 Fedora Update System 2010-05-31 18:25:02 UTC
httpd-2.2.15-1.fc12.2 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.