Loading ...
Sorry, an error occurred while loading the content.
 

Re: Impact of SSL renegotiation attacks on SMTP mail

Expand Messages
  • Wietse Venema
    ... They will break if some REMOTE system wants to renegotiate TLS, using a protocol that is not supported by the LOCAL TLS implementation. Note that it says:
    Message 1 of 15 , Nov 26, 2009
      gmx:
      > In-Reply-To-Message-ID: 20091109012901.6D90F1F3EA7@...
      >
      > Hi Wietse and Victor,
      >
      > Thank you very much for your analyses
      > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 .
      >
      > As a practitioner, the following question arises as we are in a business
      > partner context as you describe in
      > http://www.porcupine.org/postfix-mirror/smtp-renegotiate.pdf p. 6:
      >
      > 1) will
      > a) smtpd_tls_ask_ccert,
      > b) smtpd_tls_wrappermode,
      > c) smtpd_use_tls,
      > d) smtpd_enforce_tls
      > still work with the new openssl 0.9.8l
      > http://marc.info/?l=openssl-users&m=125751806022186&w=2 ?
      > 2) should I upgrade the openssl on the MTA to that version?

      They will break if some REMOTE system wants to renegotiate TLS, using
      a protocol that is not supported by the LOCAL TLS implementation.

      Note that it says: "remote system wants to renegotiate". Postfix
      does not request renegotiation, as far as I know.

      > 3) on p. 11, you say <<Wietse and Victor concocted detection mechanisms and
      > workarounds. Some may even end up in Postfix.>> - will they still be needed
      > with the new openssl that disables renegotiation altogether?

      These CLIENT-SIDE workarounds detect some attacks when you are
      talking to servers with vulnerable SSL implementations.

      Wietse
    Your message has been successfully submitted and would be delivered to recipients shortly.