So there are some news from the front of OpenSSL CVE-2009-3555 (see this and this for the history). Now the latest version of Apache mod_ssl (2.2) embeds an option to reactivate old way client renegociation : SSLInsecureRenegotiation on Check the official doc for more details. With this option activated, you can now safely upgrade openSSL [...]
Archive of posts tagged Apache
SSL/TLS RFC updated against CVE-2009-3555
A solution has been finally brought up to fix CVE-2009-3555 and the temporary solution that broke client authentication. At least, the IETF agreed on a fix as Marsh Ray informs us, though it will still take some weeks for the whole validation process to complete. Moreover, as it requires both the servers and the clients [...]
waf00f
waf00f is another nice fingerprinting tool. It is a good complement to a tool like httprint. It is able to detect Web Application Firewalls. Its output can help you to determine the trust you can have in what httprint or any other web server fingerprinting tool found out. Check it there.
ModSecurity 2.5 review
I finished reading the ModSecurity 2.5 book, written by Magnus Mischell and published by Packt Publishing. I found a lot of interest reading it as I was already using ModSecurity – and I think anyone exposing an Apache web server should. I was actually using it partially. It is not trivial to secure a web [...]
OpenSSL : CVE-2009-3555 security fix and mod_ssl client authentication breakage
A security advisory on OpenSSL has recently been published. Details are there and there. It is vulnerable to a MiTM attack where the attacker can intercept and retrieve the credential to a trusted HTTPS website, by intercepting the session cookie sent back to the client. A proof of concept of an attack against Twitter was [...]
New book about ModSecurity
There will be a new book about mod-security coming out : ModSecurity 2.5. ModSecurity is essential when it comes to secure any web site. It will make the work of the attacker much harder and it may save you even if your favorite dynamic pages have a security hole. However, it must be configured wisely [...]
How to stop Firefox from prompting for the client certificate
I am using a client certificate to authenticate against some Apache HTTPS website. By default, Firefox 3 has a very annoying setting : it will prompt you with a box to select your certificate, every time the browser access to a file. I quickly realized that there is not setting in the preference tab to [...]
How-to : Mod-security 2 set-up for Apache 2
Mod-security is a security proxy for Apache. It adds a frontal layer filtering unwanted clients, malformed packets and malicious requests. It is especially usefull if your website is dynamic, involving php, sql, javascript, etc. With such a complex environment, as you can never be sure that your website is not vulnerable or up-to-date enough, something [...]
