SSL/TLS Vulnerability Fix (CVE-2009-3555)
Web Server 7.0 Update 7 is upgraded to include NSS 3.12.5 which provides relief for the SSL/TLS renegotiation vulnerability: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
This vulnerability is a flaw in the current SSL/TLS renegotiation protocol definition. It is not a bug in the Web Server implementation. Due to this reason, there is no implementation-level fix for this vulnerability. The only workaround is to disable renegotiation entirely in order to protect the Web Server from attack.
Therefore, Web Server 7.0 Update 7 disables all use of SSL/TLS renegotiation. If either the client or the Web Server attempt to trigger renegotiation on an existing SSL/TLS session, the connection will fail.
Typically renegotiation was used to obtain a client certificate sometime after the SSL/TLS connection was first established. Web applications which attempt to obtain a client certificate in this fashion will now fail.
Obtaining a client certificate during the initial connection handshake will continue to work correctly. This mode can be configured by setting the client-auth element to 'required' in server.xml:
<http-listener>
<ssl>
<client-auth>required</client-auth>
</ssl>
</http-listener>
|
A future update of Web Server 7 will implement a safe renegotiation protocol as soon as the IETF finalizes the design of the new protocol enhancement. It is possible to re-enable the vulnerable SSL/TLS renegotiation capability by setting the environment variable: NSS_SSL_ENABLE_RENEGOTIATION=1. This mode is known to be vulnerable to attack as described in CVE-2009-3555.
- © 2010, Oracle Corporation and/or its affiliates