Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] OpenSSL Renegotiation bug

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] OpenSSL Renegotiation bug


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: [Shib-Dev] OpenSSL Renegotiation bug
  • Date: Mon, 16 Nov 2009 13:44:32 +0100
  • Organization: SWITCH

Any effect on Shibboleth, we believe, is restricted to indirect issues visited upon us by the container itself. That is, the Shib code itself does not seem to do anything that would allow it to be exploited but the containers in which the code runs may allow this. Certainly Apache is vulnerable to client-cert auth vulnerabilities and so that, in turn, can compromise the attribute query and artifact resolution vulnerable.

Scott and I are currently discussing if there are things we can do within the Shib code itself to mitigate any transport layer issues. In general we should be able to use message level security options that have been available in Shib 2 since its initial release in place of transport layer security. A small bug, now fixed in SVN, showed in the SP during our testing but otherwise the actual idea seemed to work fine. As a happy side-effect this would, in theory, also mean that a separate back channel port wouldn't be needed to do things like attribute queries (but at the cost of extra compute cycles spent on doing XML crypto operations).

Lukas Haemmerle wrote:
I just read about the OpenSSL Renegotiation issue and were wondering
whether this affects the Shibboleth SP. In particular, if X.509
clientAuth is enabled on a directory/location basis and not for the
whole VirtualHost, renegotiation is used if I remember correctly.
So, this could affect some installations if they upgrade their openssl
version whose default then is set to not use renegotiation.

Infos:
http://openssl.org/news/secadv_20091111.txt
http://isc.sans.org/diary.html?storyid=7543

Cheers
Lukas


--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch




Archive powered by MHonArc 2.6.16.

Top of Page