Skip to navigation

Warning message

log in to add comments or rate this document

Is Red Hat affected by TLS renegotiation MITM attacks (CVE-2009-3555)?

Updated 2012-04-16T05:25:44+00:00

Issue

Transport Layer Security (TLS) is a protocol that is used for establishing a secure connection between a client and a server. A TLS renegotiation man-in-the-middle (MITM) attack has been disclosed by Marsh Ray of PhoneFactor that allows an attacker to inject attacker-chosen plain text as a prefix to a victim's session: http://extendedsubset.com/?p=8 (Note: Linked issue reporter's site does not currently provide information on this flaw. Refer to Eric Rescorla's explanation of the flaw for the detailed description: http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html)

Environment

  • Red Hat Enterprise Linux
  • Red Hat Certificate System
  • Red Hat Directory Server
  • JBoss Enterprise Web Server
  • All web browsers

Resolution

Red Hat is aware of the issue and is tracking it via https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3555

The reported issue is a TLS/SSL protocol flaw, and not a bug of any specific implementation. The issue therefore affects all protocol implementations. For Red Hat Enterprise Linux this includes the openssl, nss, and gnutls packages, as well as the Java Secure Socket Extension (JSSE) component of various Java Runtime Environments (Sun, IBM, and OpenJDK).

This issue is rated as having moderate security impact, as successful exploitation of this flaw requires a man-in-the-middle attack.

To address this issue, the IETF TLS working group has defined a TLS protocol extension that allows safe session renegotiation. This protocol extension is described in RFC 5746, "Transport Layer Security (TLS) Renegotiation Indication Extension": http://www.rfc-editor.org/rfc/rfc5746.txt

Red Hat has released updates that add support for RFC 5746 to the openssl, openssl097a, nss, gnutls, java-1.6.0-openjdk, java-1.6.0-sun, java-1.4.2-ibm, java-1.4.2-ibm-sap, java-1.5.0-ibm, and java-1.6.0-ibm packages. These updates are described in the Updates adding RFC 5746 support section.

Red Hat has made updates for httpd, java-1.4.2-ibm, java-1.5.0-ibm, java-1.6.0-ibm, java-1.6.0-openjdk, java-1.6.0-sun, tomcat5, tomcat6, and tomcat-native available to mitigate this flaw by disabling or limiting the use of renegotiation. These updates are described in the Mitigation updates section.

To date, practical attacks using this flaw were only described for HTTPS. Both the mod_ssl and mod_nss modules for the httpd web server allowed clients to perform TLS session renegotiation at any time; therefore, the attack could be used against any HTTPS server using those modules. The impact depended on the web applications deployed on the server. For example, Cross-Site Request Forgery (CSRF) attack protections could mitigate certain attack vectors. There are no known methods to detect the attack on the client side without fully enforcing the new TLS extension. Any web browser not supporting RFC 5746 can be targeted by this attack.

Red Hat is not currently aware of attacks against other application protocols, but they may be discovered during future research.

Updates adding RFC 5746 support

This section details updates that add support for RFC 5746 to various TLS/SSL libraries, allowing clients and servers to renegotiate securely.

Hereafter, the terms upgraded (as used in RFC 5746) or patched (as used in the OpenSSL documentation) client or server will be used to refer to a TLS/SSL client or server implementing RFC 5746, and the terms un-upgraded or unpatched client or server will be used to refer to a TLS/SSL client or server not supporting RFC 5746.

Prior to the availability of RFC 5746 and its implementations, several updates were released to block or limit the use of renegotiation in multiple components. Those updates are described in the Mitigation updates section below.

The RFC 5746 implementation in OpenSSL

Support for RFC 5746 in OpenSSL was introduced upstream in version 0.9.8m.

The renegotiation behavior in the patched Red Hat OpenSSL packages:

  • a patched client can connect to and renegotiate with a patched server.
  • a patched client can connect to and renegotiate with an unpatched server. This is transitional behavior. Future OpenSSL updates may prevent connections to or renegotiations with unpatched servers.
  • a patched server allows patched clients to connect and renegotiate.
  • a patched server allows unpatched clients to connect, but not renegotiate.

Applications using OpenSSL can be modified to change this behavior by using the two newly-introduced options that can be set on SSL or SSL context structures:

  • SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION - when set, a patched server allows even unpatched clients to renegotiate, but also re-introduces the security vulnerability.
  • SSL_OP_LEGACY_SERVER_CONNECT - allows patched clients to connect to unpatched servers. This option is currently set by default.

These options can be controlled with the following OpenSSL functions: SSL_CTX_set_options() or SSL_set_options() to set them, and SSL_CTX_clear_options() or SSL_clear_options() to clear them.

For additional details, refer to the "Secure Renegotiation" section of the SSL_CTX_set_options(3) manual page.

The openssl packages errata for Red Hat Enterprise Linux 3, 4, and 5, released on March 25, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0162.html
https://rhn.redhat.com/errata/RHSA-2010-0163.html

The openssl097a packages errata for Red Hat Enterprise Linux 5, released on March 25, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0164.html

The openssl packages errata for Red Hat Enterprise Virtualization, released on May 25, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0440.html

Updated openssl version for JBoss Enterprise Web Server 1.0 was released in version 1.0.1 and is available for download from the Customer Support Portal:

https://support.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=webserver&version=1.0.1

Updated openssl version for JBoss Enterprise Application Platform 5.0 was released in version 5.0.1 and is available for download from the Customer Support Portal:

https://support.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=appplatform&version=5.0.1

Note: With updated OpenSSL packages installed, httpd installations using the mod_ssl module to provide an HTTPS service, and configured to use server-initiated renegotiations, will no longer work for unpatched clients (users' web browsers). The Client-initiated renegotiations disabled in mod_ssl section below mentions configuration changes that can be used to avoid the need for server-initiated renegotiations. The new mod_ssl configuration directive, SSLInsecureRenegotiation, can be used to enable insecure renegotiation, allowing renegotiations with unpatched clients.

The httpd packages errata adding support for the SSLInsecureRenegotiation directive for Red Hat Enterprise Linux 4 and 5, released on March 25, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0168.html
https://rhn.redhat.com/errata/RHSA-2010-0175.html

The httpd and httpd22 packages errata adding support for the SSLInsecureRenegotiation directive for JBoss Enterprise Web Server, released on May 5, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0396.html

Updated JBoss Enterprise Web Server 1.0 httpd packages for Solaris and Windows can be downloaded from the Customer Support Portal:

https://support.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.1

The RFC 5746 implementation in NSS (Network Security Services)

Support for RFC 5746 in NSS was introduced upstream in version 3.12.6.

The renegotiation behavior in the patched Red Hat NSS packages:

  • a patched client can connect to and renegotiate with a patched server.
  • a patched client can connect to and renegotiate with an unpatched server. This is transitional behavior. Future NSS updates may prevent connections to or renegotiations with unpatched servers.
  • a patched server allows patched clients to connect and renegotiate.
  • a patched server allows unpatched clients to connect, but not renegotiate.

Applications using NSS can be modified to change this behavior by using the two newly-introduced options. These options can be set on SSL sockets by using the NSS SSL_OptionSet() function:

  • SSL_ENABLE_RENEGOTIATION - controls renegotiation behavior. It accepts one of the following values:
    • SSL_RENEGOTIATE_UNRESTRICTED - allows all renegotiations, even insecure.
    • SSL_RENEGOTIATE_NEVER - deny all renegotiations, even secure.
    • SSL_RENEGOTIATE_REQUIRES_XTN - allow secure renegotiation using RFC 5746. This is the default for upstream NSS 3.12.6.
    • SSL_RENEGOTIATE_TRANSITIONAL - similar to SSL_RENEGOTIATE_REQUIRES_XTN, but also allows patched clients to renegotiate with unpatched servers. This is the default for the current Red Hat NSS packages.
  • SSL_REQUIRE_SAFE_NEGOTIATION - controls whether secure renegotiation is required on the initial TLS/SSL handshake, that is, whether patched clients can connect to an unpatched server, or whether patched servers accept connections from unpatched clients. The current default is false.

In addition to modifying applications using the NSS library to add calls setting these options, the default value can be changed for unmodified applications by using the following environment variables:

  • NSS_SSL_ENABLE_RENEGOTIATION - changes the default value of the SSL_ENABLE_RENEGOTIATION option. Valid values:

    • a value of "1" or a lowercase or uppercase "u" sets the default to SSL_RENEGOTIATE_UNRESTRICTED.
    • a value of "0" or a lowercase or uppercase "n" sets the default to SSL_RENEGOTIATE_NEVER.
    • a value of "2" or a lowercase or uppercase "r" sets the default to SSL_RENEGOTIATE_REQUIRES_XTN.
    • a value of "3" or a lowercase or uppercase "t" sets the default to SSL_RENEGOTIATE_TRANSITIONAL.
    • Note: NSS only checks the first character of the NSS_SSL_ENABLE_RENEGOTIATION environment variable value. Therefore, the values listed above can be followed by an arbitrary string. This allows setting the value to, for example, "unrestricted" instead of "1" or "u" for better readability.
  • NSS_SSL_REQUIRE_SAFE_NEGOTIATION - changes the default value of the SSL_REQUIRE_SAFE_NEGOTIATION option. Valid value:

    • a value starting with "1" sets the default to true.

The nss packages errata for Red Hat Enterprise Linux 4 and 5, released on March 25, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0165.html

The nss packages errata for Red Hat Enterprise Virtualization, released on May 25, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0440.html

Note: With updated NSS packages installed, httpd installations using the mod_nss module to provide an HTTPS service, and configured to use server-initiated renegotiations, will no longer work for unpatched clients (users' web browsers). The need for server-initiated renegotiations can be avoided by applying similar configuration changes as noted for mod_ssl in the Client-initiated renegotiations disabled in mod_ssl section below. Alternatively, insecure renegotiations can be allowed for mod_nss by adding the following line to /etc/sysconfig/httpd and restarting the httpd service:

export NSS_SSL_ENABLE_RENEGOTIATION=u

The dirsec-nss packages for Red Hat Certificate System 7.3 for Red Hat Enterprise Linux were obsoleted by the system nss packages released in RHSA-2010:0165.

Updated dirsec-nss packages for Red Hat Certificate System 7.3 for Solaris, released on April 15, 2010, can be downloaded from the "Red Hat Certificate System 7.3 (for Solaris 9)" channel on the Red Hat Network:

https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=7094

Hotfix packages for Red Hat Certificate System 7.1 for Red Hat Enterprise Linux and Solaris can be obtained from the Red Hat support.

Note: Red Hat Certificate System 7.1, 7.3 and 8.0 use server-initiated renegotiations by default. Refer to Configuration changes to prevent server-initiated TLS session renegotiations in Red Hat Certificate System for the configuration changes required to avoid server-initiated renegotiations in Red Hat Certificate System, if all clients cannot be updated at the same time as the Certificate System server. Users of Red Hat Certificate System 7.3 must also install updated rhpki-ra and rhpki-tps packages from RHBA-2010:0170 at the same time as the updated NSS packages.

Updated dirsec-nss packages for Red Hat Directory Server 8 for Solaris, released on April 15, 2010, can be downloaded from the "Red Hat Directory Server 8 (for Solaris 9)" channel on the Red Hat Network:

https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=7810

Hotfix packages for Red Hat Directory Server 7.1 for Red Hat Enterprise Linux and Solaris can be obtained from the Red Hat support.

Note: Refer to The Effects of the TLS Session Renegotiation Vulnerability on Red Hat Directory Server 7.1 and The Effects of the TLS Session Renegotiation Vulnerability on Red Hat Directory Server 8.1 for additional notes on installing updated NSS packages for Red Hat Directory Server.

The RFC 5746 implementation in GnuTLS

Support for RFC 5746 in GnuTLS was introduced upstream in version 2.10.0.

The renegotiation behavior in the patched Red Hat GnuTLS packages:

  • a patched client can connect to and renegotiate with a patched server.
  • a patched client can connect to, but cannot renegotiate with an unpatched server. Future GnuTLS updates may prevent connections to unpatched servers.
  • a patched server allows patched clients to connect and renegotiate.
  • a patched server allows unpatched clients to connect, but not renegotiate.

Applications using GnuTLS can be modified to change this behavior for each GnuTLS session by using the two newly-introduced functions:

  • gnutls_safe_renegotiation_set() - this function can be used to allow insecure renegotiation. By default, secure renegotiation is required.
  • gnutls_safe_negotiation_set_initial() - this function can be used to require secure initial negotiation.

Note: The functions listed above are only available in the gnutls packages in Red Hat Enterprise Linux 4 and 5. In the gnutls packages in Red Hat Enterprise Linux 6, renegotiation behavior can be controlled using special keywords in priority strings, documented in the gnutls_priority_init(3) manual page. Special keywords in priority strings are not supported on Red Hat Enterprise Linux 4 and 5.

The gnutls packages errata for Red Hat Enterprise Linux 4 and 5, released on March 25, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0166.html
https://rhn.redhat.com/errata/RHSA-2010-0167.html

The gnutls packages errata for Red Hat Enterprise Virtualization, released on May 25, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0440.html

The RFC 5746 implementation in the Sun and the OpenJDK Java Runtime Environments

Support for RFC 5746 in the Sun Java Runtime Environment (JRE) was introduced upstream in version 6 Update 22, and in the corresponding OpenJDK updates.

The renegotiation behavior in the patched Sun and OpenJDK JRE packages:

  • a patched client can connect to and renegotiate with a patched server.
  • a patched client can connect to, but cannot renegotiate with an unpatched server.
  • a patched server allows patched clients to connect and renegotiate.
  • a patched server allows unpatched clients to connect, but not renegotiate.

The following properties can be used to change the default renegotiation behavior:

  • sun.security.ssl.allowUnsafeRenegotiation (default value false) can be used to allow unsafe renegotiation with unpatched peers.
  • sun.security.ssl.allowLegacyHelloMessages (default value true) can be used to completely disallow connections to or from unpatched peers.

For additional details, refer to:

http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html

The java-1.6.0-openjdk packages errata for Red Hat Enterprise Linux 5, released on October 13, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0768.html

The java-1.6.0-sun packages errata for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary, released on October 14, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0770.html

The java-1.6.0-openjdk packages errata for Red Hat Enterprise Linux 6, released on November 10, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0865.html

The RFC 5746 implementation in the IBM Java Runtime Environment

Support for RFC 5746 in the IBM Java Runtime Environment (JRE) was introduced upstream in versions 5.0 SR12-FP2, and 1.4.2 SR13-FP6.

The renegotiation behavior in the patched IBM JRE packages:

  • a patched client can connect to and renegotiate with a patched server.
  • a patched client can connect to, but cannot renegotiate with an unpatched server.
  • a patched server allows patched clients to connect and renegotiate.
  • a patched server allows unpatched clients to connect, but not renegotiate.

The following properties can be used to change the default renegotiation behavior:

  • com.ibm.jsse2.renegotiate can be used to enable or disable renegotiation. Multiple values are recognized, including:
    • NONE (default value) - only secure renegotiation with peers that implement RFC 5746 is allowed.
    • ALL - both secure and insecure renegotiation is allowed.
  • com.ibm.jsse2.extended.renegotiation.indicator controls whether RFC 5746 support is required during the initial TLS/SSL handshake. Valid values:
    • OPTIONAL (default value) - RFC 5746 support is not required during the initial handshake.
    • CLIENT, SERVER, BOTH - RFC 5746 support is required for client sockets, server sockets, or both client and server sockets respectively.

For additional details, refer to:

http://www.ibm.com/developerworks/java/jdk/security/50/secguides/jsse2Docs/JSSE2_RFC5746.html

The java-1.4.2-ibm packages errata for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary, released on October 20, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0786.html

The java-1.5.0-ibm packages errata for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary, released on October 27, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0807.html

The java-1.4.2-ibm-sap packages errata for Red Hat Enterprise Linux 4, 5 and 6 for SAP, released on December 15, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0986.html

The java-1.6.0-ibm packages errata for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 and 6 Supplementary, released on December 15, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0987.html

Note: The java-1.4.2-ibm packages updates disable renegotiation and add RFC 5746 support only in the non-default IBM JSSE2 provider for the JSSE component. The default JSSE provider is not updated with these fixes. Refer to the "IBMJSSE2 Provider Reference Guide" for instructions on how to configure the IBM Java 2 Runtime Environment to use the JSSE2 provider by default.

Mitigation updates

This section details updates that have been released to provide mitigations for this flaw before RFC 5746 was defined and updates implementing it were available. Updates introducing support for RFC 5746, and hence allow secure renegotiation between upgraded clients and servers, are described in the Updates adding RFC 5746 support section above.

Client-initiated renegotiations disabled in mod_ssl

Updated httpd packages were released that change mod_ssl to reject all client-initiated renegotiations, which mitigates this flaw for the majority of configurations using mod_ssl to provide HTTPS service. However, an attack is still possible in configurations where server-initiated renegotiations are required.

Configurations still affected by the issue are typically where:

  • Client certificates authentication is used for some part of the site, but is not required by default. This happens when "SSLVerifyClient require" is configured in a <Location> or <Directory> context section, but not in the corresponding <VirtualHost> for the SSL server.
  • Different cipher suites are required for different parts of the web site. Cipher suite requirements can be configured per-server or per-directory context using the SSLCipherSuite directive.

Server-initiated renegotiations can be avoided by:

  • Changing the site layout so that a client certificate authentication is required for the whole site, rather than only a part. In other words, so that "SSLVerifyClient" is used only when directly inside a <VirtualHost> section.
  • Using the same cipher suite for the whole site. The highest cipher strength requirement of all directories and locations should be set in the <VirtualHost> section.

Note: When both client and server support RFC 5746, they can renegotiate safely even in the configurations described above that require server-initiated renegotiations. As mod_ssl uses OpenSSL library, refer to the The RFC 5746 implementation in OpenSSL section above for the list and the description of the openssl packages updates that add RFC 5746 support and that need to be installed to allow the HTTPS service to use secure renegotiation.

The httpd packages errata for Red Hat Enterprise Linux 3, 4, and 5, released on November 11, 2009:

https://rhn.redhat.com/errata/RHSA-2009-1579.html
https://rhn.redhat.com/errata/RHSA-2009-1580.html

The httpd and httpd22 packages errata for JBoss Enterprise Web Server, released on January 6, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0011.html

Updated JBoss Enterprise Web Server 1.0 packages for Solaris can be downloaded from the Customer Support Portal:

https://support.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.0

Renegotiations disabled in the IBM Java Runtime Environment

The IBM JRE versions 6 SR7, 5.0 SR11-FP1, and 1.4.2 SR13-FP4 disable renegotiation by default. It is possible to control renegotiation behavior by using the com.ibm.jsse2.renegotiate property. The default value is NONE (renegotiation is disabled). Unsafe renegotiation can be re-enabled by setting the property value to ALL. For additional details, refer to:

http://www-01.ibm.com/support/docview.wss?uid=nas258cbfcf0a5645af7862576710041f65e

These updates are obsoleted by updates adding RFC 5746 support. Refer to the The RFC 5746 implementation in the IBM Java Runtime Environment section above.

The java-1.6.0-ibm packages errata for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary, released on December 23, 2009:

https://rhn.redhat.com/errata/RHSA-2009-1694.html

The java-1.5.0-ibm packages errata for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary, released on March 3, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0130.html

The java-1.4.2-ibm packages errata for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary, released on March 17, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0155.html

The java-1.4.2-ibm packages errata for Red Hat Enterprise Linux 4 and 5 for SAP, released on May 12, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0408.html

Renegotiations disabled in the Sun and the OpenJDK Java Runtime Environments

The Sun JRE version 6 Update 19, and the corresponding OpenJDK JRE updates disable renegotiation by default. It is possible to enable unsafe renegotiation by using the sun.security.ssl.allowUnsafeRenegotiation property. The default value is false (renegotiation is disabled).

These updates are obsoleted by updates adding RFC 5746 support. Refer to the The RFC 5746 implementation in the Sun and the OpenJDK Java Runtime Environments section above.

The java-1.6.0-sun packages errata for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary, released on March 31, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0337.html

The java-1.6.0-openjdk packages errata for Red Hat Enterprise Linux 5, released on March 31, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0339.html

Renegotiations disabled in Apache Tomcat

Apache Tomcat can be configured to run as a stand-alone HTTPS server. For TLS/SSL, the Tomcat HTTPS connector can use the implementation provided by either the JSSE component of the JRE (Sun, IBM, or OpenJDK) or OpenSSL (when using the Tomcat Native library). Both JSSE and OpenSSL handle client-requested renegotiations transparently. Additionally, Tomcat may ask the client to renegotiate in certain configurations using client certificate authentication, for example, configurations where:

  • A client certificate is not required on the initial connection, such as when:
    • The clientAuth attribute of the HTTPS connector using JSSE is set to false.
    • The SSLVerifyClient attribute of the HTTPS connector using OpenSSL is set to none.
  • A web application specifies the CLIENT-CERT authentication method in the login-config section of the application's web.xml file.

The following mitigations were applied to Tomcat and Tomcat Native:

  • Tomcat 5.5.29 and 6.0.21 adds a new attribute for the HTTPS connector using JSSE, allowUnsafeLegacyRenegotiation. When this attribute is set to false (the default value), Tomcat will reject both client- and server-initiated renegotiations.
  • Tomcat Native 1.1.18 restricts client-initiated renegotiations for the HTTPS connector using OpenSSL. Server-initiated renegotiations are still allowed. This mitigation is similar to the mod_ssl mitigation described above.

For additional details about these mitigations, refer to the Tomcat and Tomcat Native documentation, and the following vulnerability pages:

http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-native.html

Note: It is common to use Tomcat as a Servlet or JavaServer Pages (JSP) container behind another web server, which handles the encrypted connections and passes the requests to Tomcat in unencrypted form. For these configurations, the Tomcat and Tomcat Native mitigations described above do not apply: the issue needs to be addressed in the web server or the TLS/SSL library used by the web server.

Updated tomcat5, tomcat6, and tomcat-native packages were released as part of the JBoss Enterprise Web Server 1.0.1 update on February 23, 2010:

https://rhn.redhat.com/errata/RHSA-2010-0119.html

Updated JBoss Enterprise Web Server 1.0.1 packages for Solaris can be downloaded from the Customer Support Portal:

https://support.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=webserver&version=1.0.1

Revision history

  • 2009-11-05 - Initial version.
  • 2009-11-09 - Extended impact description.
  • 2009-11-11 - Added descriptions of the httpd / mod_ssl mitigations, references to RHSA-2009:1579 and RHSA-2009:1580.
  • 2010-02-09 - Added reference to RHSA-2010:0011. Added reference to the IETF approved renegotiation extension draft. Added IBM JRE mitigation notes and reference to RHSA-2009:1694.
  • 2010-02-23 - Added reference to RFC 5746. Added Tomcat mitigation notes and reference to RHSA-2010:0119.
  • 2010-03-03 - Added reference to RHSA-2010:0130.
  • 2010-03-17 - Added reference to RHSA-2010:0155.
  • 2010-03-25 - Added descriptions of the openssl, nss, and gnutls updates adding support for RFC 5746. Added references to RHSA-2010:0162, RHSA-2010:0163, RHSA-2010:0164, RHSA-2010:0165, RHSA-2010:0166, RHSA-2010:0167 and RHSA-2010:0168.
  • 2010-04-01 - Added reference to RHSA-2010:0175. Added Sun and OpenJDK JRE mitigation notes and references to RHSA-2010:0337 and RHSA-2010:0339.
  • 2010-06-10 - Added references to updates for Red Hat Certificate System, Red Hat Directory Server, JBoss Enterprise Web Server and JBoss Enterprise Application Platform. Added references to RHSA-2010:0396, RHSA-2010:0408 and RHSA-2010:0440.
  • 2010-10-15 - Documented RFC 5746 support in the Sun and OpenJDK JRE. Added references to RHSA-2010:0768 and RHSA-2010:0770. Listed the upstream GnuTLS version providing RFC 5746 support.
  • 2010-10-29 - Documented RFC 5746 support in the IBM JRE. Added references to RHSA-2010:0786 and RHSA-2010:0807.
  • 2011-01-06 - Added references to RHSA-2010:0865, RHSA-2010:0986, and RHSA-2010:0987.
  • 2012-04-16 - Added link to Eric Rescorla's issue description. Clarified "Client-initiated renegotiations disabled in mod_ssl" section regarding OpenSSL packages updates that add RFC 5746 support.