--_000_807071E8147C5448BBC98BC4E9525A596EFDD9EB40CSEXMB00off ic_
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hello everyone.=0D=0AI've an apache 2.2.11 up and running in a linux suse 1=
0 environment and openssl 0.9.6.g version.=0D=0A=0D=0AAfter a network scan =
they've found that I have to disable TLS Renegotiation support in my server=
=2E=0D=0AI've seen that I can do this with SSLInsecureRenegotiation off dir=
ective in my configuration file but this is available with apache 2.2.15.=0D=
=0AI found this on the web:=0D=0A=0D=0A*) SECURITY: CVE-2009-3555 (cve.mitr=
e.org)=0D=0A=0D=0A mod=5Fssl: Comprehensive fix of the TLS renegotiatio=
n prefix injection=0D=0A=0D=0A attack when compiled against OpenSSL ver=
sion 0.9.8m or later. Introduces=0D=0A=0D=0A the 'SSLInsecureRenegotiat=
ion' directive to reopen this vulnerability=0D=0A=0D=0A and offer unsaf=
e legacy renegotiation with clients which do not yet=0D=0A=0D=0A suppor=
t the new secure renegotiation protocol, RFC 5746.=0D=0A=0D=0A [Joe Ort=
on, and with thanks to the OpenSSL Team]=0D=0A=0D=0AIs there some workaroun=
d to do this without upgrade my apache version=3F=3F=3F=0D=0AI mean some mo=
d=5Fssl configuration directives that I can set for bypass the problem/vuln=
erability=3F=3F=3F=0D=0A=0D=0A=0D=0AThanks in advance.=0D=0AGreetings=0D=0A=0D=
=0AVorazzo Manuela=0D=0A*******************Internet Email Confidentiality F=
ooter******************* =0D=0AQualsiasi utilizzo non autorizzato del pre=
sente messaggio nonch=C3=A9 dei suoi allegati =C3=A8 vietato e potrebbe cos=
tituire reato. Se ha ricevuto per errore il presente messaggio, Le saremmo =
grati se ci inviasse, via e-mail, una comunicazione al riguardo e provvedes=
se nel contempo alla distruzione del messaggio stesso e dei suoi eventuali =
allegati. Le dichiarazioni contenute nel presente messaggio nonche' nei suo=
i eventuali allegati devono essere attribuite al mittente e non possono ess=
ere necessariamente considerate come autorizzate da SIA-SSB S.p.A.; le mede=
sime dichiarazioni non impegnano SIA-SSB S.p.A. nei confronti del destinata=
rio o di terzi. SIA-SSB S.p.A. non si assume alcuna responsabilita' per eve=
ntuali intercettazioni, modifiche o danneggiamenti del presente messaggio e=
-mail. =0D=0AAny unauthorized use of this e-mail or any of its attachment=
s is prohibited and could constitute an offence. If you are not the intende=
d addressee please advise immediately the sender by using the reply facilit=
y in your e-mail software and destroy the message and its attachments. The =
statements and opinions expressed in this e-mail message are those of the a=
uthor of the message and do not necessarily represent those of SIA-SSB S.p.=
A. Besides, The contents of this message shall be understood as neither giv=
en nor endorsed by SIA-SSB S.p.A.. SIA-SSB S.p.A. does not accept liability=
for corruption, interception or amendment, if any, or the consequences the=
reof.=0D=0A
--_000_807071E8147C5448BBC98BC4E9525A596EFDD9EB40CSEXMB00off ic_
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:sc=
hemas-microsoft-com:office:word" xmlns=3D"http://www.w3.org/TR/REC-html40">=0D=
=0A=0D=0A<head>=0D=0A<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">=0D=0A<meta name=3DGenerator content=3D"Microsoft Word =
11 (filtered medium)">=0D=0A<style>=0D=0A<!--=0D=0A /* Font Definitions */=0D=
=0A [at] font-face=0D=0A=09{font-family:ArialMT;=0D=0A=09panose-1:0 0 0 0 0 0 0=
0 0 0;}=0D=0A /* Style Definitions */=0D=0A p.MsoNormal, li.MsoNormal, div=
=2EMsoNormal=0D=0A=09{margin:0cm;=0D=0A=09margin-bottom:.000 1pt;=0D=0A=09fo=
nt-size:12.0pt;=0D=0A=09font-family:"Times New Roman";}=0D=0Aa:link, span.M=
soHyperlink=0D=0A=09{color:blue;=0D=0A=09text-decoration:und erline;}=0D=0Aa=
:visited, span.MsoHyperlinkFollowed=0D=0A=09{color:purple;=0D=0A=09tex t-dec=
oration:underline;}=0D=0Acode=0D=0A=09{font-family:"Courier New";}=0D=0Apre=0D=
=0A=09{margin:0cm;=0D=0A=09margin-bottom:.0001pt;=0D=0A=09fo nt-size:10.0pt;=0D=
=0A=09font-family:"Courier New";}=0D=0Aspan.StileMessaggioDiPostaElettronic=
a17=0D=0A=09{mso-style-type:personal-compose;=0D=0A=09font-f amily:Arial;=0D=
=0A=09color:windowtext;}=0D=0A [at] page Section1=0D=0A=09{size:595.3pt 841.9pt;=0D=
=0A=09margin:70.85pt 2.0cm 2.0cm 2.0cm;}=0D=0Adiv.Section1=0D=0A=09{page:Se=
ction1;}=0D=0A-->=0D=0A</style>=0D=0A=0D=0A</head>=0D=0A=0D=0A<body lang=3D=
IT link=3Dblue vlink=3Dpurple>=0D=0A=0D=0A<div class=3DSection1>=0D=0A=0D=0A=
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-GB style=3D=
'font-size:=0D=0A10.0pt;font-family:Arial'>Hello everyone.<o:p></o:p></span=
></font></p>=0D=0A=0D=0A<p class=3DMsoNormal><font size=3D2 face=3DArial><s=
pan lang=3DEN-GB style=3D'font-size:=0D=0A10.0pt;font-family:Arial'>I’=
;ve an apache 2.2.11 up and running in a linux=0D=0Asuse 10 environment and=
openssl 0.9.6.g version.<o:p></o:p></span></font></p>=0D=0A=0D=0A<p class=3D=
MsoNormal><font size=3D2 face=3DArial><span lang=3DEN-GB style=3D'font-size=
:=0D=0A10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>=0D=0A=0D=
=0A<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 face=3D=
Arial><span=0D=0Alang=3DEN-GB style=3D'font-size:10.0pt;font-family:Arial'>=
After a network scan they’ve=0D=0Afound that I have to </span></font>=
<font size=3D2 face=3DArialMT><span lang=3DEN-GB=0D=0Astyle=3D'font-size:10=
=2E0pt;font-family:ArialMT'>disable TLS Renegotiation support=0D=0Ain my se=
rver.<o:p></o:p></span></font></p>=0D=0A=0D=0A<p class=3DMsoNormal style=3D=
'text-autospace:none'><font size=3D2 face=3DArialMT><span=0D=0Alang=3DEN-GB=
style=3D'font-size:10.0pt;font-family:ArialMT'>I’ve seen that I=0D=0A=
can do this with </span></font><code><font color=3D"#003366" face=3D"Courie=
r New"><span=0D=0Alang=3DEN-GB style=3D'color:#003366'>SSLInsecureRenegotia=
tion off </span></font></code><font=0D=0Asize=3D2 face=3DArialMT><span lang=
=3DEN-GB style=3D'font-size:10.0pt;font-family:ArialMT'>directive=0D= 0Ain m=
y configuration file but this is available with apache 2.2.15.<o:p></o:p></=
span></font></p>=0D=0A=0D=0A<p class=3DMsoNormal style=3D'text-autospace:no=
ne'><font size=3D2 face=3DArialMT><span=0D=0Alang=3DEN-GB style=3D'font-siz=
e:10.0pt;font-family:ArialMT'>I found this on the=0D=0Aweb:<o:p></o:p></spa=
n></font></p>=0D=0A=0D=0A<pre><font size=3D2 face=3D"Courier New"><span lan=
g=3DEN-GB style=3D'font-size:10.0pt'>*) SECURITY: CVE-2009-3555 (cve.mitre.=
org)<o:p></o:p></span></font></pre><pre><font=0D=0Asize=3D2 face=3D"Courier=
New"><span lang=3DEN-GB style=3D'font-size:10.0pt'> =
; mod=5Fssl: Comprehensive fix of the TLS renegotiation prefix injection<o:=
p></o:p></span></font></pre><pre><font=0D=0Asize=3D2 face=3D"Courier New"><=
span lang=3DEN-GB style=3D'font-size:10.0pt'> attac=
k when compiled against OpenSSL version 0.9.8m or later. Introduces<o:p></o=
:p></span></font></pre><pre><font=0D=0Asize=3D2 face=3D"Courier New"><span =
lang=3DEN-GB style=3D'font-size:10.0pt'> the 'SSLIn=
secureRenegotiation' directive to reopen this vulnerability<o:p></o:p></spa=
n></font></pre><pre><font=0D=0Asize=3D2 face=3D"Courier New"><span lang=3DE=
N-GB style=3D'font-size:10.0pt'> and offer unsafe l=
egacy renegotiation with clients which do not yet<o:p></o:p></span></font><=
/pre><pre><font=0D=0Asize=3D2 face=3D"Courier New"><span lang=3DEN-GB style=
=3D'font-size:10.0pt'> support the new secure reneg=
otiation protocol, RFC 5746.<o:p></o:p></span></font></pre><pre><font=0D=0A=
size=3D2 face=3D"Courier New"><span lang=3DEN-GB style=3D'font-size:10.0pt'=
> [Joe Orton, and with thanks to the OpenSSL Team]<=
o:p></o:p></span></font></pre>=0D=0A=0D=0A<p class=3DMsoNormal style=3D'tex=
t-autospace:none'><font size=3D2 face=3DArialMT><span=0D=0Alang=3DEN-GB sty=
le=3D'font-size:10.0pt;font-family:ArialMT'><o:p> </o:p></span></font>=
</p>=0D=0A=0D=0A<p class=3DMsoNormal style=3D'text-autospace:none'><font si=
ze=3D2 face=3DArialMT><span=0D=0Alang=3DEN-GB style=3D'font-size:10.0pt;fon=
t-family:ArialMT'>Is there some=0D=0Aworkaround to do this without upgrade =
my apache version=3F=3F=3F<o:p></o:p></span></font></p>=0D=0A=0D=0A<p class=
=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 face=3DArialMT><s=
pan=0D=0Alang=3DEN-GB style=3D'font-size:10.0pt;font-family:ArialMT'>I mean=
some mod=5Fssl configuration=0D=0Adirectives that I can set for bypass the=
problem/vulnerability=3F=3F=3F<o:p></o:p></span></font></p>=0D=0A=0D=0A<p =
class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 face=3DArial=
MT><span=0D=0Alang=3DEN-GB style=3D'font-size:10.0pt;font-family:ArialMT'><=
o:p> </o:p></span></font></p>=0D=0A=0D=0A<p class=3DMsoNormal style=3D=
'text-autospace:none'><font size=3D2 face=3DArialMT><span=0D=0Alang=3DEN-GB=
style=3D'font-size:10.0pt;font-family:ArialMT'><o:p> </o:p></span></f=
ont></p>=0D=0A=0D=0A<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
lang=3DEN-GB style=3D'font-size:=0D=0A10.0pt;font-family:Arial'>Thanks in a=
dvance.<o:p></o:p></span></font></p>=0D=0A=0D=0A<p class=3DMsoNormal><font =
size=3D2 face=3DArial><span lang=3DEN-GB style=3D'font-size:=0D=0A10.0pt;fo=
nt-family:Arial'>Greetings<o:p></o:p></span></font></p>=0D=0A=0D=0A<p class=
=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-GB style=3D'font-s=
ize:=0D=0A10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>=0D=0A=0D=
=0A<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-GB styl=
e=3D'font-size:=0D=0A10.0pt;font-family:Arial'>Vorazzo Manuela<o:p></o:p></=
span></font></p>=0D=0A=0D=0A</div>=0D=0A=0D=0A<br><br><table bgcolor=3Dwhit=
e style=3D"color:black"><tr><td><br>*******************Internet Email&=
nbsp;Confidentiality Footer******************* <br>=0D=0AQualsias=
i utilizzo non autorizzato del presente messa=
ggio nonch=C3=A9 dei suoi allegati =C3=A8 vie=
tato e potrebbe costituire reato. Se ha =
ricevuto per errore il presente messaggio, Le=
saremmo grati se ci inviasse, via e-mai=
l, una comunicazione al riguardo e provvedess=
e nel contempo alla distruzione del messaggio=
stesso e dei suoi eventuali allegati. L=
e dichiarazioni contenute nel presente messaggio&n=
bsp;nonche' nei suoi eventuali allegati devono=
essere attribuite al mittente e non pos=
sono essere necessariamente considerate come autor=
izzate da SIA-SSB S.p.A.; le medesime dichiar=
azioni non impegnano SIA-SSB S.p.A. nei confr=
onti del destinatario o di terzi. SIA-SSB&nbs=
p;S.p.A. non si assume alcuna responsabilita'&=
nbsp;per eventuali intercettazioni, modifiche o da=
nneggiamenti del presente messaggio e-mail. <br>=0D=
=0AAny unauthorized use of this e-mail or&nbs=
p;any of its attachments is prohibited and&nb=
sp;could constitute an offence. If you are&nb=
sp;not the intended addressee please advise i=
mmediately the sender by using the reply =
;facility in your e-mail software and destroy=
the message and its attachments. The st=
atements and opinions expressed in this e-mai=
l message are those of the author of&nbs=
p;the message and do not necessarily represen=
t those of SIA-SSB S.p.A. Besides, The c=
ontents of this message shall be understood&n=
bsp;as neither given nor endorsed by SIA-SSB&=
nbsp;S.p.A.. SIA-SSB S.p.A. does not accept l=
iability for corruption, interception or amendment=
, if any, or the consequences thereof.<br>=0D=
=0A</td></tr></table></body>=0D=0A=0D=0A</html>=0D=0A
--_000_807071E8147C5448BBC98BC4E9525A596EFDD9EB40CSEXMB00off ic_--
