4.4 SSL Renegotiation support in Apache web server
4.4.1 Test for renegotiation
The OpenSSL has its own functionality to test whether the SSL renegotiation is enabled. The OpenSSL application called s _client can be used to emulate the SSL client. This client can be used to test the support for the SSL renegotiation. Listing 4.2 shows the output of this application when connected to the server. On Line 1, the OpenSSL s _client is executed with -connect option to connect to the server identified by the IP address 192.168.15.125. This machine runs the Apache/2.2.14 server. The standard port for the SSL services is 443. For brevity, the output of thes_clientapplication is abbreviated.
1 r o o t @ s u k a l p−l a p t o p : / home/ s u k a l p# OpenSSL s _ c l i e n t −c o n n e c t 1 9 2 . 1 6 8 . 1 5 . 1 2 5 : 4 4 3 2 CONNECTED( 0 0 0 0 0 0 0 3 ) 3 [ . . . ] 4 −−− 5 C e r t i f i c a t e c h a i n 6 [ . . . ] 7 −−− 8 S e r v e r c e r t i f i c a t e
4.5 Summary 41
9 −−−−−BEGIN CERTIFICATE−−−−− 10 [ . . . ]
11 −−−−−END CERTIFICATE−−−−− 12 −−−
13 New , TLSv1 / SSLv3 , C i p h e r i s DHE−RSA−AES256−SHA 14 S e r v e r p u b l i c k e y i s 2048 b i t 15 S e c u r e R e n e g o t i a t i o n I S s u p p o r t e d 16 C o m p r e s s i o n : z l i b c o m p r e s s i o n 17 E x p a n s i o n : z l i b c o m p r e s s i o n 18 SSL−S e s s i o n : 19 [ . . . ] 20 −−− 21 R 22 RENEGOTIATING 23 3 0 7 7 5 8 5 6 4 0 : e r r o r : 1 4 0 9 E0E5 : SSL r o u t i n e s : SSL3_WRITE_BYTES : s s l h a n d s h a k e f a i l u r e : s 3 _ p k t . c : 5 9 1 :
Listing 4.2: Secure Renegotiation Support in Apache Web Server.
Line 15 indicates that Secure Renegotiation is supported on the server side. The SSL renegotiation is triggered by sending letter "R" on an empty line after the SSL connection is established. Line 22 indicates that the renegotiation is in progress. In spite of being advertised on Line 15 that secure renegotiation is supported, Line 23 reports the failure message. With this message the SSL connection is terminated immediately. It should be noted that the version of OpenSSL used is up to date 6.
The similar experiment is performed replacing the Apache web server with the emulated SSL server implemented usings _servercommand (application) of the OpenSSL, triggering renegotiation by sending R on an empty line does trigger successful renegotiation.
Similar tests are also performed on older version of Apache (Apache 1.13) server and the renegotiation was successfully triggered using the same commands. Therefore, it can be observed that recent versions of Apache just forbid the renegotiation in spite of advertising the otherwise. However, this is not the complete truth. The latest version of the Apache does support the secure renegotiation. However, only the server can initiate the renegotiation. That is, only server initiated renegotiationis allowed.
This way, the latest versions of Apache web servers can mitigates the renegotiation based DoS attack.
4.5
Summary
This chapter introduced the SSL renegotiation feature. There are several applications where the SSL renegotiation appears to the suitable feature to be enabled while using the SSL protocols. However, SSL renegotiation does not necessarily add much value to the SSL protocols. Later, this chapter introduced two attacks based on the SSL renegotiation.
The first one is the attack, where an attacker can prefix his plaintext in the secure com- munication between the client and server. This vulnerability is called authentication gap. This vulnerability exists because the way SSL renegotiation is conducted in the SSL com- munication. This vulnerability is tackled by using the secure renegotiation instead of usual renegotiation. The secure renegotiation is specified in RFC 5746 [41].
The second attack is the computational DoS attack. This attack is applicable even when the secure renegotiation is implemented. The SSL based computational DoS attack focus on initiating a large number of SSL handshake within single SSL connection. The mitigation
6
techniques and their effectiveness are explained in this chapter. At the end, the way latest versions of the Apache web servers handle the SSL renegotiation, is described with the help of practical results.
This chapter mainly introduced the SSL renegotiation based DoS attack and explained the working of the thc-ssl-dos DoS tool. The comparative experiments are performed in Chapter 8 using this tool to evaluate the theoretical analysis made in this chapter.
CHAPTER
5
DoS Attack Analysis: SSL Record Processing
T
his chapter considers the number of test cases to verify the applicability of the DoS attacks due to the way SSL data is handled at the Record layer. This chapter is the result of the detailed review of the SSL protocol and its implementation OpenSSL.In the first section, the processing of the SSL record is considered to examine if it is properly done and it does not induce any vulnerabilities that could lead to DoS attacks. Some experiments are inspired from the vulnerabilities present in TCP protocol that cause DoS attacks.
Section 5.2 talks about the compression mechanism in the SSL protocol. The compression mechanism in the SSL protocol is not widely used. There are several known issues in using compression in general. These are discussed in this section. However, it is very important to analyse the compression mechanism in the SSL to produce the guidelines for the future use of the compression and explain the probable overhead that the compression might introduce. In order to understand the compression during the record layer processing, a detailed source code review of the OpenSSL implementation is done and the detailed analysis is provided along with the explanation of sample code to describe the compression mechanism in the SSL protocol.
Finally, this chapter is concluded with some final remarks in Section 5.3.
5.1
Record Processing
This section considers the strengths of the SSL record processing in resistance to the DoS attack. This section examines the SSL record processing for the common DoS vulnerabilities those are still a threat for the other related protocols such as TCP. Finally, an evaluation is provided whether the DoS attacks identified and described in this section are applicable to SSL protocols. If these attacks are applicable to the SSL protocol then to what extent these attacks are applicable is also described.