Kurt Zeilenga wrote: > I've now posted my preliminary report on the general impact of TLS > renegotiation on LDAP to the [email protected] list, for initial > discussion there. A final report will be made available later, likely > posted to [email protected]. > > This message is available in our local archive of this list: > http://www.openldap.org/lists/ietf-ldapext/200911/msg00000.html > > Howard has already made a brief statement here regarding impact upon > OpenLDAP Software on this list. In short summary, only the "milder > issue" applies to OpenLDAP Software (and seems to a very minor > concern). Clients can mitigate this issue as discussed in the > report. Servers can mitigate this issue by disabling TLS > renegotiations within their TLS library. Disabling TLS renegotiations > in the server has side effects which might not be desirable in certain > deployments.
OpenSSL 0.8.9l was quickly released in response to this attack. It is supposed to disable TLS renegotiation support, but it has a number of bugs. Instead of cleanly closing the session when a reneg occurs, it hangs. I suggest that people hold off another couple days before deploying a TLS reneg fix. At least for OpenLDAP, since in this case the cure is worse than the actual problem. http://groups.google.com/group/mailing.openssl.dev/browse_thread/thread/4c36ff4db820e37c# -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
