Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


                                            `Date: Mon, 22 Mar 1999 19:42:49 +0000  
From: Ben Laurie <ben@ALGROUP.CO.UK>  
Subject: OpenSSL/SSLeay Security Alert  
OpenSSL and SSLeay Security Alert  
It was recently realised that packages that use SSLeay and OpenSSL may  
suffer from a security problem: under some circumstances, SSL sessions  
can be reused in a different context from their original one. This may  
allow access controls based on client certificates to be bypassed.  
Unfortunately, before the the problem was fully understood, it was  
discussed on various public lists. The OpenSSL team have therefore  
decided to release an interim version of OpenSSL which addresses the  
problem by disabling session reuse except in limited circumstances  
(see below).  
A future version will deal with the problem more elegantly by redoing  
verification on reused sessions when necessary.  
Although this problem is not strictly a defect in OpenSSL, it is  
rather tricky for applications to be coded correctly to avoid the  
problem due to the sketchy nature of SSLeay/OpenSSL documentation. We  
therefore decided to protect applications from within OpenSSL.  
The problem  
SSL sessions include a session ID which allows initial setup to be  
bypassed once a session has been established between a client and  
server. This session ID, when presented by the client, causes the same  
master key to be used as was used on the previous connection, thus  
saving considerable session setup time.  
When the session is reused in this manner, all access controls based  
on client certificates are bypassed, on the grounds that the original  
session would have made the necessary checks.  
Unfortunately, the lack of documentation has resulted in the caching  
structures being used in certain applications without appropriate care  
being taken to assure that the cached sessions are only available at  
the appropriate moments.  
As a result it is sometimes possible for a specially written SSL  
client to fraudulently obtain an SSL connection which requires access  
control by reusing a previous session which had different or no access  
The problem affects servers which support session reuse and which have  
multiple virtual hosts served from a single server, where some virtual  
hosts use differing client server verifications. Note that "different"  
includes no verification on some hosts, and verification on others, or  
different CAs for different hosts.  
In order to exploit this problem carefully written client software  
would need to be written. The attacker would need considerable  
knowledge of the SSL protocol. Standard web browsers will not and  
cannot be made to use SSL in this way.  
Affected software  
All server software using SSLeay or versions of OpenSSL prior to  
version 0.9.2b that support multiple virtual hosts with different  
client certificate verification may be vulnerable.  
This includes, but is not limited to:  
The solution  
Download OpenSSL 0.9.2b (see and build it in  
the usual way.  
Check the application for updates, and download those, too (NB: this  
step is not necessarily required, the updated library will fix the  
problem). The versions of the applications listed above that you should  
use are:  
Apache_SSL 1.3.4+1.32  
mod_ssl 2.2.6-1.3.4  
Raven 1.4.0  
Stronghold 2.4.2  
Rebuild the application (if needed).  
If you are an application author, you should look in to the use of  
SSL_set_session_id_context(), which can be used to reenable session  
reuse when appropriate.  
Known exploits  
There are no known exploits of this security hole.  
Ben Laurie, for the OpenSSL team.  
"My grandfather once told me that there are two kinds of people: those  
who work and those who take the credit. He told me to try to be in the  
first group; there was less competition there."  
- Indira Gandhi