The following announcement has just been made to the announce mailing list:
Apache httpd is affected by CVE-2009-3555[1] (The SSL Injection or MiM attack[2]).
The Apache httpd webserver relies on OpenSSL for the implementation of the SSL/TLS protocol.
We strongly urge you to upgrade to OpenSSL 0.9.8l; and to be prepared to deploy OpenSSL 0.9.8m as it becomes available[3].
Note that these are for short term and mid-term mitigation only; the long term solution may well require a modification of the SSL and/or
TLS protocols[4].
For those who are not able to upgrade OpenSSL swiftly and/or for those who need detailed logging – we recommend that you roll out
this patch[5]:
http://www.apache.org/dist/httpd/patches/
apply_to_2.2.14 CVE-2009-3555-2.2.patch
sha1: 28cd58f3758f1add39417333825b9d854f4f5f43
as soon as possible. This is a partial fix in lieu of the protocol issues being addressed and further changes to OpenSSL. Like the
OpenSSL 0.9.8l stopgap measure this patch rejects in-session renegotiation.
If you are unable to patch and unable to roll our a newer version of OpenSSL, and you rely on Client Side Authentication with Certificates
then we recommend that you 1) ensure that you limit your configuration to a single ‘SSLClient require’ on VirtualHost/Sever level and 2)
remove all other (re)negotiation/require directives. However this does NOT fully protect you – it just curtails authentication in this
specific setting.
