Skip to content

Updates on OpenSSL CVE-2009-3555 (client renegociation)

So there are some news from the front of OpenSSL CVE-2009-3555 (see this and this for the history).

Now the latest version of Apache mod_ssl (2.2) embeds an option to reactivate old way client renegociation :

SSLInsecureRenegotiation on

Check the official doc for more details. With this option activated, you can now safely upgrade openSSL and mod_ssl without breaking your clients. They should have done it from the begining, shouldn’t they ?

The next step will be to move on to the new protocol definitely, to solve for good the CVE-2009-3555 vulnerability. For that we have to wait for the browsers to support it.

Firefox has started to work seriously on it and we can expect some support in the next releases (some settings will be possible through about:config).

They even created a test site. This screenshot was taken from Google Chrome (5.0.366.2, openSUSE repo) which already has support for the SSL protocol :

Related posts:

  1. OpenSSL : CVE-2009-3555 security fix and mod_ssl client authentication breakage
  2. SSL/TLS RFC updated against CVE-2009-3555
  3. Yet OpenSSL renegociation not fully fixed
  4. OpenVPN and DNS on a linux client
  5. No Nessus gui client and limited support of the server for openSUSE

Comments 3

  1. Wolfgang wrote:

    The recent Firefox and SeaMonkey updates together with mozilla-nss 3.12.6 which is available in the mozilla OBS repo should (and do in my tests) support everything what’s needed.
    Updates for 11.2 and earlier openSUSE/SLE versions are in preparation.

    Posted 05 Apr 2010 at 7:17 pm
  2. JC wrote:

    @Wolfgang: Thanks for the info.

    Posted 05 Apr 2010 at 8:35 pm
  3. Scott wrote:

    can’t login with facebook. I get the CVE-2009-3555 error message. What can I do. This have logged in hundreds of times before!

    Posted 17 May 2011 at 6:27 am

Post a Comment

Your email is never published nor shared. Required fields are marked *