Bug 554084 - (CVE-2009-3555) VUL-0: CVE-2009-3555: gnutls: authentication gap
(CVE-2009-3555)
VUL-0: CVE-2009-3555: gnutls: authentication gap
Status: RESOLVED FIXED
: 670152 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:11.1:36666 maint:relea...
:
Depends on:
Blocks: 670152
  Show dependency treegraph
 
Reported: 2009-11-10 10:37 UTC by Thomas Biege
Modified: 2019-05-01 15:31 UTC (History)
5 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patch to make client tolerant (763 bytes, patch)
2010-12-16 13:46 UTC, Ludwig Nussel
Details | Diff
fix advertising safe renegotiations (1.95 KB, patch)
2010-12-16 13:47 UTC, Ludwig Nussel
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2009-11-10 10:37:52 UTC
Hi.
There is a security bug in 'gnutls'.

This bug is public.

There is no coordinated release date (CRD) set.

More information can be found here:
	http://extendedsubset.com/?p=8

CVE number: CVE-2009-3555
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555

Original posting:

CVE-2009-3555


A protocol malfunctiion ease man-in-the-middle attacks.

http://extendedsubset.com/?p=8
http://www.links.org/?p=780
http://www.ietf.org/mail-archive/web/tls/current/msg03928.html
https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-
renegotiate.txt
Comment 1 Swamp Workflow Management 2009-11-10 10:40:19 UTC
The SWAMPID for this issue is 28665.
Please submit the patch and patchinfo file using this ID.
(https://swamp.suse.de/webswamp/wf/28665)
Comment 2 Thomas Biege 2009-11-10 15:02:50 UTC
CVE-2009-3555: CVSS v2 Base Score: 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:P/A:P)
Comment 3 Guan Jun He 2009-11-30 10:02:14 UTC
submitted to opensuse 11.2,11.1,11.0
Comment 4 Thomas Biege 2009-12-02 10:23:18 UTC
The patch we use: http://lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00014.html
Comment 5 Guan Jun He 2009-12-03 07:23:42 UTC
submittted to sle11/sle10-sp3/sle10-sp2/sles9-sp4
Comment 6 Ludwig Nussel 2009-12-03 08:02:26 UTC
Is there any official gnutls release that includes this patch yet? If it's not final we should not release packages that include it either IMHO.
Comment 7 Guan Jun He 2009-12-04 06:08:35 UTC
(In reply to comment #6)
> Is there any official gnutls release that includes this patch yet? If it's not
> final we should not release packages that include it either IMHO.

not yet;
Comment 8 Marcus Meissner 2010-01-05 15:25:20 UTC
an advisory was posted by the gnutls team + mailthread:
http://thread.gmane.org/gmane.network.gnutls.general/1838
Comment 9 Ludwig Nussel 2010-01-19 09:07:32 UTC
so currently there is no sign of an official upstream solution. Therefore we shouldn't release the update and remove it from the queue. I can reject the update but the packages need to be removed from the trees. Rudi, could you revert gnutls in all trees please?
Comment 10 Ludwig Nussel 2010-02-04 11:56:21 UTC
mass change of priority p5 security bugs to p3
Comment 11 Marcus Meissner 2010-02-05 13:49:14 UTC
i think rudi did so now.
Comment 12 Marcus Meissner 2010-04-15 15:03:33 UTC
2.8.6 released, still no sign of solution.
Comment 13 Guan Jun He 2010-09-25 05:48:09 UTC
upstream.
Comment 35 Guan Jun He 2010-09-29 08:03:46 UTC
fixed.
Comment 36 Ludwig Nussel 2010-09-29 12:22:11 UTC
upstream allows to configure renegotiations via the priority string. The default behavior for servers is to deny unsafe renegotiations. the default for clients is to still allow them for legacy reasons. What's the behavior in the patch you used?
Comment 37 Guan Jun He 2010-09-30 03:56:51 UTC
(In reply to comment #36)
> upstream allows to configure renegotiations via the priority string. The
> default behavior for servers is to deny unsafe renegotiations. the default for
> clients is to still allow them for legacy reasons. What's the behavior in the
> patch you used?

in default,the safe renegotiation is disabled.
Comment 38 Ludwig Nussel 2010-09-30 08:00:08 UTC
does that mean no renegotiations are enabled or only unsafe renegotiations are enabled by default? AFAICS the api to enable safe renegotiations from upstream is different so noone would actually use our api.
Comment 39 Ludwig Nussel 2010-09-30 15:04:21 UTC
I think we really should backport the upstream solution. Looking at the git repo the used the same patch we now have at first but improved it significantly over time.
Comment 42 Guan Jun He 2010-10-19 06:07:41 UTC
gnutls package in Base:System has been updated to the latest stable version 2.10.2,and the patch for this bug is included;

patch backported from upstream 2.10.2 for openSuSE11.3 has been submitted,including the complete testing code for safe renegotiation.
Comment 43 Guan Jun He 2010-10-21 12:28:16 UTC
(In reply to comment #42)
> gnutls package in Base:System has been updated to the latest stable version
> 2.10.2,and the patch for this bug is included;
> 
> patch backported from upstream 2.10.2 for openSuSE11.3 has been
> submitted,including the complete testing code for safe renegotiation.

patch backported from upstream 2.10.2 for openSuSE11.2 has been
submitted,including complete testing code for safe renegotiation.

patch for other verisons will be submitted soon.
Comment 44 Guan Jun He 2010-10-21 15:38:11 UTC
(In reply to comment #43)
> (In reply to comment #42)
> > gnutls package in Base:System has been updated to the latest stable version
> > 2.10.2,and the patch for this bug is included;
> > 
> > patch backported from upstream 2.10.2 for openSuSE11.3 has been
> > submitted,including the complete testing code for safe renegotiation.
> 
> patch backported from upstream 2.10.2 for openSuSE11.2 has been
> submitted,including complete testing code for safe renegotiation.
> 
> patch for other verisons will be submitted soon.

patch submitted to openSuSE11.1/sle-11-sp1/sle-11;

maybe only left sle-10-sp3,patch for sle-10-sp3 will be submitted tomorrow.
Comment 45 Guan Jun He 2010-10-22 06:33:33 UTC
(In reply to comment #44)
> (In reply to comment #43)
> > (In reply to comment #42)
> > > gnutls package in Base:System has been updated to the latest stable version
> > > 2.10.2,and the patch for this bug is included;
> > > 
> > > patch backported from upstream 2.10.2 for openSuSE11.3 has been
> > > submitted,including the complete testing code for safe renegotiation.
> > 
> > patch backported from upstream 2.10.2 for openSuSE11.2 has been
> > submitted,including complete testing code for safe renegotiation.
> > 
> > patch for other verisons will be submitted soon.
> 
> patch submitted to openSuSE11.1/sle-11-sp1/sle-11;
> 
> maybe only left sle-10-sp3,patch for sle-10-sp3 will be submitted tomorrow.

patch for sle-10-sp3 has been submitted.
now,patch for all suse verisons has been submitted,:)
Comment 46 Swamp Workflow Management 2010-10-22 14:56:27 UTC
The SWAMPID for this issue is 36659.
This issue was rated as moderate.
Please submit fixed packages until 2010-11-05.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 47 Ludwig Nussel 2010-10-25 14:43:19 UTC
Thanks. Much better now :-)

However in preliminary tests with the sle11sp1 package I found the
following issues:

- gnutls-cli-debug just quits:
  $  gnutls-cli-debug localhost
  Resolving 'localhost'...
  Connecting to '::1:443'...
  Error in %INITIAL_SAFE_RENEGOTIATION
  Checking for Safe renegotiation support... $
- gnutls-cli doesn't actually rehandshake when the server asks for
  it (tried openssl s_server and pressed r)

I doubt this is by intention. Will you fix that?
Comment 48 Guan Jun He 2010-10-28 03:33:49 UTC
(In reply to comment #47)
> Thanks. Much better now :-)
> 
> However in preliminary tests with the sle11sp1 package I found the
> following issues:
> 
> - gnutls-cli-debug just quits:
>   $  gnutls-cli-debug localhost
>   Resolving 'localhost'...
>   Connecting to '::1:443'...
>   Error in %INITIAL_SAFE_RENEGOTIATION
>   Checking for Safe renegotiation support... $
> - gnutls-cli doesn't actually rehandshake when the server asks for
>   it (tried openssl s_server and pressed r)
> 
> I doubt this is by intention. Will you fix that?
well,I guess this is by intention: clients without support for safe renegotiation is able to handshake against servers with support, but not able to rehandshake.

and,this is the testing item #2 of tests/safe-renegotiation/,the source code is srn1.c,and you can check all the 7 testing items of tests/safe-renegotiation/.
Comment 49 Guan Jun He 2010-10-28 03:35:41 UTC
as comment#48.
Comment 50 Ludwig Nussel 2010-10-28 06:12:59 UTC
(In reply to comment #48)
> well,I guess this is by intention: clients without support for safe
> renegotiation is able to handshake against servers with support, but not able
> to rehandshake.

The test is supposed to just return 'no' so gnutls-cli-debug can
proceed with the other test. That's how it works on newer gnutls.
Comment 51 Ludwig Nussel 2010-11-22 12:30:32 UTC
Could you please fix gnutls-cli-debug? It also aborts if the server DOES support renegotiations.
Comment 53 Guan Jun He 2010-11-29 02:09:15 UTC
(In reply to comment #51)
> Could you please fix gnutls-cli-debug? It also aborts if the server DOES
> support renegotiations.

I could not access Novell's mail server,and it recovered yesterday.
I will check the issuse you pointed out.
Comment 54 Guan Jun He 2010-11-29 04:13:14 UTC
(In reply to comment #53)
> (In reply to comment #51)
> > Could you please fix gnutls-cli-debug? It also aborts if the server DOES
> > support renegotiations.
I just checked the source code,and there are 3 points for the gnutls-cli-debug to exit:
1. test_name == NULL,that means all tests has been finished;
2. Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1;
3. can not connect to server(socket connect);
I do not know what do you mean 'gnutls-cli-debug abort'?

> I could not access Novell's mail server,and it recovered yesterday.
> I will check the issuse you pointed out.
Comment 55 Guan Jun He 2010-12-02 03:54:14 UTC
(In reply to comment #54)
> (In reply to comment #53)
> > (In reply to comment #51)
> > > Could you please fix gnutls-cli-debug? It also aborts if the server DOES
> > > support renegotiations.
> I just checked the source code,and there are 3 points for the gnutls-cli-debug
> to exit:
> 1. test_name == NULL,that means all tests has been finished;
> 2. Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1;
> 3. can not connect to server(socket connect);
> I do not know what do you mean 'gnutls-cli-debug abort'?
> 
> > I could not access Novell's mail server,and it recovered yesterday.
> > I will check the issuse you pointed out.

Do you mean the gnutls_assert() in the patch?
Comment 56 Guan Jun He 2010-12-02 04:11:45 UTC
(In reply to comment #55)
> (In reply to comment #54)
> > (In reply to comment #53)
> > > (In reply to comment #51)
> > > > Could you please fix gnutls-cli-debug? It also aborts if the server DOES
> > > > support renegotiations.
> > I just checked the source code,and there are 3 points for the gnutls-cli-debug
> > to exit:
> > 1. test_name == NULL,that means all tests has been finished;
> > 2. Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1;
> > 3. can not connect to server(socket connect);
> > I do not know what do you mean 'gnutls-cli-debug abort'?
> > 
> > > I could not access Novell's mail server,and it recovered yesterday.
> > > I will check the issuse you pointed out.
> 
> Do you mean the gnutls_assert() in the patch?

or can you provide more info or some logs?
thanks.
Comment 57 Ludwig Nussel 2010-12-02 08:32:09 UTC
no idea what's causing the behavior. Try running it to see yourself. I've used openssl s_server on 11.3 as server.
Comment 58 Guan Jun He 2010-12-03 07:19:44 UTC
Seems the priority string is not right in the testing source code.
Comment 59 Guan Jun He 2010-12-03 07:24:21 UTC
Seems the priority string is not right in the testing source code.I will do more check and testing.Since the upstream also has this issuse,so we may need to send the patch to upstream too if I produce a patch.this issue does not affect the lib,it's only wrong usage of the lib.
Comment 60 Guan Jun He 2010-12-06 05:03:20 UTC
(In reply to comment #59)
> Seems the priority string is not right in the testing source code.I will do
> more check and testing.Since the upstream also has this issuse,so we may need
> to send the patch to upstream too if I produce a patch.this issue does not
> affect the lib,it's only wrong usage of the lib.

yes, it's the testing code's error,and upstream's latest code has been fixed.
patch will be submitted soon.
Comment 61 Guan Jun He 2010-12-06 05:08:29 UTC
Resolving 'localhost'...
Connecting to '::1:4433'...
Checking for Safe renegotiation support... yes
Checking for Safe renegotiation support (SCSV)... yes
Checking for TLS 1.2 support... no
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... TLS 1.0
Checking for TLS 1.0 support... yes
Checking for SSL 3.0 support... yes
Checking for HTTPS server name... not checked
Checking for version rollback bug in RSA PMS... no
Checking for version rollback bug in Client Hello... no
Checking whether we need to disable TLS 1.0... N/A
Checking whether the server ignores the RSA PMS version... no
Checking whether the server can accept Hello Extensions... yes
Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
Checking whether the server can accept a bogus TLS record version in the client hello... no
Checking for certificate information... N/A
Checking for trusted CAs... N/A
Checking whether the server understands TLS closure alerts... partially
Checking whether the server supports session resumption... yes
Checking for export-grade ciphersuite support... yes
Checking RSA-export ciphersuite info... N/A
Checking for anonymous authentication support... no
Checking anonymous Diffie-Hellman group info... N/A
Checking for ephemeral Diffie-Hellman support... no
Checking ephemeral Diffie-Hellman group info... N/A
Checking for AES cipher support (TLS extension)... yes
Checking for CAMELLIA cipher support (TLS extension)... yes
Checking for 3DES cipher support... yes
Checking for ARCFOUR 128 cipher support... yes
Checking for ARCFOUR 40 cipher support... yes
Checking for MD5 MAC support... yes
Checking for SHA1 MAC support... yes
Checking for max record size (TLS extension)... no
Checking for OpenPGP authentication support (TLS extension)... no
Comment 62 Guan Jun He 2010-12-06 06:10:10 UTC
patch submitted to sle-11-sp1/sle-11/11.1/11.2/11.3.
Comment 63 Swamp Workflow Management 2010-12-06 13:07:21 UTC
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls-extra26-debuginfo, libgnutls26, libgnutls26-debuginfo
Products:
openSUSE 11.1 (debug, i586, ppc, ppc64, x86_64)
openSUSE 11.2 (debug, i586, x86_64)
openSUSE 11.3 (debug, i586, x86_64)
Comment 64 Thomas Biege 2010-12-06 13:20:29 UTC
accidently released opensuse packages. we will just release the new opensuse packages with the fixed testing code.

recycled patchinfos
Comment 65 Heiko Rommel 2010-12-13 16:05:04 UTC
When testing the prepared maintenance update

Products: SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64), SLE-DESKTOP 10-SP3 (i386, x86_64), SLE-SAP-APL 10-SP3 (x86_64), SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64)
Category: security
ZYPP Patch No: 7271
MD5 sum: b46b5fc733d818e5fa4ece78dd43a914
SUBSWAMPID: 37615
Packager: gjhe@novell.com
Packages: gnutls >= 1.2.10-13.22.21, gnutls-32bit >= 1.2.10-13.22.21, gnutls-64bit >= 1.2.10-13.22.21, gnutls-devel >= 1.2.10-13.22.21, gnutls-devel-32bit >= 1.2.10-13.22.21, gnutls-devel-64bit >= 1.2.10-13.22.21, gnutls-x86 >= 1.2.10-13.22.21

I found that gnutls-cli is not operational anymore:

# gnutls-cli www.postbank.de -p 443
Resolving 'www.postbank.de'...
Connecting to '195.50.155.73:443'...
*** Fatal error: Safe renegotiation failed.
*** Handshake has failed
GNUTLS ERROR: Safe renegotiation failed.

In addition, I crossed another bug (which is not related but affects testing badly) which has been reported as Bug 659128.

Please advise.
Comment 66 Guan Jun He 2010-12-14 08:50:37 UTC
(In reply to comment #65)
> When testing the prepared maintenance update
> 
> Products: SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64), SLE-DESKTOP
> 10-SP3 (i386, x86_64), SLE-SAP-APL 10-SP3 (x86_64), SLE-DEBUGINFO 10-SP3 (i386,
> ia64, ppc, s390x, x86_64)
> Category: security
> ZYPP Patch No: 7271
> MD5 sum: b46b5fc733d818e5fa4ece78dd43a914
> SUBSWAMPID: 37615
> Packager: gjhe@novell.com
> Packages: gnutls >= 1.2.10-13.22.21, gnutls-32bit >= 1.2.10-13.22.21,
> gnutls-64bit >= 1.2.10-13.22.21, gnutls-devel >= 1.2.10-13.22.21,
> gnutls-devel-32bit >= 1.2.10-13.22.21, gnutls-devel-64bit >= 1.2.10-13.22.21,
> gnutls-x86 >= 1.2.10-13.22.21
> 
> I found that gnutls-cli is not operational anymore:
> 
> # gnutls-cli www.postbank.de -p 443
> Resolving 'www.postbank.de'...
> Connecting to '195.50.155.73:443'...
> *** Fatal error: Safe renegotiation failed.
> *** Handshake has failed
> GNUTLS ERROR: Safe renegotiation failed.
> 
> In addition, I crossed another bug (which is not related but affects testing
> badly) which has been reported as Bug 659128.
> 
> Please advise.

there is no patch for testing safe-renegotiation for sle10-sp3.
Comment 67 Ludwig Nussel 2010-12-14 10:11:58 UTC
(In reply to comment #66)
> there is no patch for testing safe-renegotiation for sle10-sp3.

I don't understand what you mean. Apparently gnutls could connect to
the server just fine before and now broke after the udpate.
Comment 68 Guan Jun He 2010-12-15 04:34:58 UTC
(In reply to comment #67)
> (In reply to comment #66)
> > there is no patch for testing safe-renegotiation for sle10-sp3.
> 
> I don't understand what you mean. 
I mean there is no testing code for testing safe-renegotiation for sle10-sp3.
> Apparently gnutls could connect to
> the server just fine before and now broke after the udpate.
I will check it.
Comment 69 Swamp Workflow Management 2010-12-15 12:07:19 UTC
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit, libgnutls26-x86
Products:
SLE-DEBUGINFO 11 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11 (i386, x86_64)
SLE-SDK 11 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11 (i386, ia64, ppc64, s390x, x86_64)
Comment 70 Guan Jun He 2010-12-16 04:22:47 UTC
(In reply to comment #68)
> (In reply to comment #67)
> > (In reply to comment #66)
> > > there is no patch for testing safe-renegotiation for sle10-sp3.
> > 
> > I don't understand what you mean. 
> I mean there is no testing code for testing safe-renegotiation for sle10-sp3.
> > Apparently gnutls could connect to
> > the server just fine before and now broke after the udpate.
> I will check it.

Seems like the unsafe (re)negotiation is denied.
Comment 71 Guan Jun He 2010-12-16 06:09:54 UTC
yes, we just need to adjust the default value to enable unsafe (re)negotiation.
And ,there are 2 functions that can adjust this during running:
gnutls_safe_negotiation_set_initial();
gnutls_safe_renegotiation_set();


After adjust the default value:

# gnutls-cli www.postbank.de -p 443
Resolving 'www.postbank.de'...
Connecting to '62.153.105.37:443'...
- Certificate type: X.509
 - Got a certificate list of 3 certificates.

 - Certificate[0] info:
 # The hostname in the certificate matches 'www.postbank.de'.
 # valid since: Wed Jul 28 08:00:00 CST 2010
 # expires at: Mon Aug 13 07:59:59 CST 2012
 # fingerprint: E0:5B:15:AD:8C:C6:28:25:53:24:09:00:09:59:51:74
 # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)06,CN=VeriSign Class 3 Extended Validation SSL SGC CA

 - Certificate[1] info:
 # valid since: Wed Nov  8 08:00:00 CST 2006
 # expires at: Tue Nov  8 07:59:59 CST 2016
 # fingerprint: 15:37:78:6E:D5:89:C8:CF:11:DC:9D:61:70:75:25:E9
 # Subject's DN: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)06,CN=VeriSign Class 3 Extended Validation SSL SGC CA
 # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,CN=VeriSign Class 3 Public Primary Certification Authority - G5

 - Certificate[2] info:
 # valid since: Wed Nov  8 08:00:00 CST 2006
 # expires at: Mon Nov  8 07:59:59 CST 2021
 # fingerprint: 9D:69:8D:F3:CB:F0:00:40:D4:58:06:25:26:CA:9D:3C
 # Subject's DN: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,CN=VeriSign Class 3 Public Primary Certification Authority - G5
 # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority


- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: NULL
- Handshake was completed

- Simple Client Mode:
Comment 72 Guan Jun He 2010-12-16 06:28:29 UTC
Update tls session's init value to enable safe-renegotiation and unsafe-renegotiation.

patch submitted.
Comment 73 Hong Sun 2010-12-16 08:56:22 UTC
In Moblin image, before or after the update, run following commands, no response, will hung up:

1. certtool --generate-privkey --bits 512 --outfile rsa.pem

2. certtool --generate-privkey --outfile ca-key.pem

3. certtool --generate-privkey --outfile key.pem


Maybe the version(gnutls-2.4.1) of gnutls is still too low

I build and update gnutls tarball to gnutls-2.8.6, then running above commands, it works normally.
Comment 74 Ludwig Nussel 2010-12-16 13:41:08 UTC
(In reply to comment #73)
> In Moblin image, before or after the update, run following commands, no
> response, will hung up:
> [...]
> Maybe the version(gnutls-2.4.1) of gnutls is still too low

No, this is supposed to work. Moblin uses the same package as sle11
and that one works just fine here. Maybe the entropy pool on your
machine was drained so the commands hang waiting for /dev/random?
Comment 75 Ludwig Nussel 2010-12-16 13:43:32 UTC
(In reply to comment #72)
> Update tls session's init value to enable safe-renegotiation and
> unsafe-renegotiation.
> 
> patch submitted.

the patch looks bogus to me. You're simply enabling unsafe renegotiations.
Comment 76 Ludwig Nussel 2010-12-16 13:46:04 UTC
Created attachment 405113 [details]
patch to make client tolerant

this allows the client to accept an initial unsafe negotiation for connecting to legacy servers but denies further unsafe negotiations. That's the common client behavior atm. The patch could be removed in the future if all servers are patched.
Comment 77 Ludwig Nussel 2010-12-16 13:47:20 UTC
Created attachment 405114 [details]
fix advertising safe renegotiations

this patch makes the client actually send the safe renegotiation extension. Without it the peer won't recognize.
Comment 78 Hong Sun 2010-12-17 02:33:52 UTC
(In reply to comment #74)
> (In reply to comment #73)
> > In Moblin image, before or after the update, run following commands, no
> > response, will hung up:
> > [...]
> > Maybe the version(gnutls-2.4.1) of gnutls is still too low
> 
> No, this is supposed to work. Moblin uses the same package as sle11
> and that one works just fine here. Maybe the entropy pool on your
> machine was drained so the commands hang waiting for /dev/random?


Hi Ludwig,

How do I check my machine about entropy pool? and how to avoid this issue? please kindly help, thanks ~
Comment 79 Hong Sun 2010-12-17 02:57:14 UTC
I run command "strace certtool -p" and got some info as following:

open("/dev/random", O_RDONLY)           = 4
fcntl64(4, F_GETFD)                     = 0
fcntl64(4, F_SETFD, FD_CLOEXEC)         = 0
select(5, [4], NULL, NULL, {3, 0})      = 0 (Timeout)
select(5, [4], NULL, NULL, {3, 0})      = 0 (Timeout)
select(5, [4], NULL, NULL, {3, 0})      = 0 (Timeout)
select(5, [4], NULL, NULL, {3, 0})      = 0 (Timeout)
select(5, [4], NULL, NULL, {3, 0})      = 0 (Timeout)
select(5, [4], NULL, NULL, {3, 0})      = 0 (Timeout)
select(5, [4], NULL, NULL, {3, 0})      = 0 (Timeout)
select(5, [4], NULL, NULL, {3, 0})      = 0 (Timeout)
Comment 80 Hong Sun 2010-12-17 03:23:26 UTC
I noticed that it will generate data for /dev/random by moving the mouse, and the command can be run well, but without it generating entropy is so difficult.
Comment 82 Guan Jun He 2010-12-21 02:24:37 UTC
(In reply to comment #77)
> Created an attachment (id=405114) [details]
> fix advertising safe renegotiations
> 
> this patch makes the client actually send the safe renegotiation extension.
> Without it the peer won't recognize.

seems good,have you tested it?
Comment 83 Ludwig Nussel 2010-12-21 08:17:45 UTC
(In reply to comment #82)
> (In reply to comment #77)
> > Created an attachment (id=405114) [details] [details]
> > fix advertising safe renegotiations
> > 
> > this patch makes the client actually send the safe renegotiation extension.
> > Without it the peer won't recognize.
> 
> seems good,have you tested it?

Yes, against openssl s_server from 11.3
Comment 84 Swamp Workflow Management 2010-12-22 16:47:00 UTC
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls-extra26-debuginfo, libgnutls26, libgnutls26-debuginfo
Products:
openSUSE 11.1 (debug, i586, ppc, ppc64, x86_64)
openSUSE 11.2 (debug, i586, x86_64)
openSUSE 11.3 (debug, i586, x86_64)
Comment 85 Swamp Workflow Management 2010-12-22 20:04:40 UTC
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit, libgnutls26-x86
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-HAE 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 86 Swamp Workflow Management 2010-12-23 16:08:18 UTC
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26
Products:
SUSE-MOBLIN 2.0 (i386)
SUSE-MOBLIN 2.0-DEBUG (i386)
Comment 87 Swamp Workflow Management 2010-12-23 16:08:39 UTC
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26
Products:
SUSE-MOBLIN 2.1 (i386)
SUSE-MOBLIN 2.1-DEBUG (i386)
Comment 88 Guan Jun He 2010-12-27 05:53:30 UTC
patch submitted to sle10sp3 and sle10sp4.
Comment 89 Heiko Rommel 2010-12-29 12:18:31 UTC
When testing the prepared update

Products: SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64), SLE-DESKTOP 10-SP3 (i386, x86_64), SLE-SAP-APL 10-SP3 (x86_64), SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64)
Category: security
ZYPP Patch No: 7291
MD5 sum: fa1b788578ffaeb13a4b81773cceb4cf
SUBSWAMPID: 37890
Packager: gjhe@novell.com
Packages: gnutls >= 1.2.10-13.24.1, gnutls-32bit >= 1.2.10-13.24.1, gnutls-64bit >= 1.2.10-13.24.1, gnutls-devel >= 1.2.10-13.24.1, gnutls-devel-32bit >= 1.2.10-13.24.1, gnutls-devel-64bit >= 1.2.10-13.24.1, gnutls-x86 >= 1.2.10-13.24.1

I found that the issue I reported in comment #65 is still not fixed on any architecture. While renegotiation of gnutls-cli seems to work with servers that support safe renegotiation it completely fails on servers that support only legacy renegotation (like www.postbank.de, www.paypal.com etc.)

As a proove I used the setup from the bug reproduction steps on a openssl server that does not support safe renegotiation (I used openSUSE 11.1 with the GA libopenssl on boxer.suse.de) and run the gnutls client:

server side:

boxer:/usr/share/ssl/misc # scp demoCA/cacert.pem root@s390t11:/tmp/
cacert.pem                                                                                 100% 3395     3.3KB/s   00:00

boxer:/usr/share/ssl/misc # openssl s_server -legacy_renegotiation -accept 4433 -cert newcert.pem -key newkey_npw.pem
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT

client side:

s390t11:~ # gnutls-cli boxer.suse.de -p 4433 --x509cafile /tmp/cacert.pem
Processed 1 CA certificate(s).
Resolving 'boxer.suse.de'...
Connecting to '10.10.0.102:4433'...
*** Fatal error: Safe renegotiation failed.
*** Handshake has failed
GNUTLS ERROR: Safe renegotiation failed.

server side:

ERROR
4601:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
shutting down SSL
CONNECTION CLOSED
ACCEPT

Please advise.
Comment 91 Guan Jun He 2010-12-31 07:46:33 UTC
(In reply to comment #83)
> (In reply to comment #82)
> > (In reply to comment #77)
> > > Created an attachment (id=405114) [details] [details] [details]
> > > fix advertising safe renegotiations
> > > 
> > > this patch makes the client actually send the safe renegotiation extension.
> > > Without it the peer won't recognize.
> > 
> > seems good,have you tested it?
> 
> Yes, against openssl s_server from 11.3

So, how did you test it?For comment #89, it does not work.
Comment 92 Guan Jun He 2010-12-31 07:53:46 UTC
(In reply to comment #91)
> (In reply to comment #83)
> > (In reply to comment #82)
> > > (In reply to comment #77)
> > > > Created an attachment (id=405114) [details] [details] [details] [details]
> > > > fix advertising safe renegotiations
> > > > 
> > > > this patch makes the client actually send the safe renegotiation extension.
> > > > Without it the peer won't recognize.
> > > 
> > > seems good,have you tested it?
> > 
> > Yes, against openssl s_server from 11.3
> 
> So, how did you test it?For comment #89, it does not work.

oh, I see, you only tested it against server support safe-renegotiation;
And , you also have adviced that the legacy renegotation should be removed(as comment #76),is there any plan to do this?
Comment 93 Swamp Workflow Management 2011-01-03 13:38:19 UTC
The SWAMPID for this issue is 36659.
This issue was rated as moderate.
Please submit fixed packages until 2011-01-17.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 94 Marcus Meissner 2011-01-04 10:54:12 UTC
it should work against servers that support either safe-renegotiation or not
(like e.g. paypal)

it should not do renegotiation on the old ones (but it should still connect).

Can you please run tests against both kinds of servers before submission?
Comment 95 Marcus Meissner 2011-01-05 11:02:15 UTC
i just resubmitted gnutls for sles10 sp3 with

- ludwigs tolerate patch attached here
- some s390x fixes to fix s390x regressions
Comment 96 Swamp Workflow Management 2011-01-26 18:04:08 UTC
Update released for: gnutls, gnutls-32bit, gnutls-64bit, gnutls-debuginfo, gnutls-devel, gnutls-devel-32bit, gnutls-devel-64bit, gnutls-x86
Products:
SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-DESKTOP 10-SP3 (i386, x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
Comment 97 Marcus Meissner 2011-01-31 15:52:44 UTC
released
Comment 101 Marcus Meissner 2011-02-11 13:29:45 UTC
backport done, currently mbuild fine.
/work/built/mbuild/grape-meissner-14/


i haev howver not tested it. perhaps we could bring it via maintenance update too now that the work is done.
Comment 102 Leonardo Chiquitto 2011-02-14 11:27:07 UTC
Marcus, thanks for doing the back port.
Comment 103 Swamp Workflow Management 2011-02-15 14:12:33 UTC
The SWAMPID for this issue is 38689.
This issue was rated as moderate.
Please submit fixed packages until 2011-03-01.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 104 Leonardo Chiquitto 2011-03-17 18:58:21 UTC
*** Bug 670152 has been marked as a duplicate of this bug. ***
Comment 112 Marcus Meissner 2011-04-29 09:35:26 UTC
just released sles9 update
Comment 113 Swamp Workflow Management 2011-04-29 11:54:55 UTC
Update released for: gnutls, gnutls-devel
Products:
Novell-Linux-POS 9 (i386)
Open-Enterprise-Server 9 (i386)
SUSE-CORE 9 (i386, ia64, ppc, s390, s390x, x86_64)
Comment 114 Leonardo Chiquitto 2011-06-02 21:26:32 UTC
*** Bug 670152 has been marked as a duplicate of this bug. ***
Comment 115 Swamp Workflow Management 2014-03-03 20:52:35 UTC
Update released for: gnutls, gnutls-32bit, gnutls-debuginfo, gnutls-devel, gnutls-devel-32bit, gnutls-x86
Products:
SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64)
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
Comment 116 Swamp Workflow Management 2014-03-04 00:05:16 UTC
SUSE-SU-2014:0320-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (critical)
Bug References: 536809,554084,659128,739898,753301,754223,802651,821818,865804,865993
CVE References: CVE-2009-5138,CVE-2011-4108,CVE-2012-0390,CVE-2012-1569,CVE-2012-1573,CVE-2013-0169,CVE-2013-1619,CVE-2013-2116,CVE-2014-0092
Sources used:
SUSE Linux Enterprise Server 10 SP3 LTSS (src):    gnutls-1.2.10-13.38.1
Comment 118 Swamp Workflow Management 2014-06-16 12:48:11 UTC
Update released for: gnutls, gnutls-devel
Products:
SUSE-CORE 9-LTSS (i386, s390, s390x, x86_64)
Comment 119 Swamp Workflow Management 2014-06-16 16:04:25 UTC
SUSE-SU-2014:0800-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 554084,670152,802651,880730,880910
CVE References: CVE-2013-1619,CVE-2014-3466,CVE-2014-3467,CVE-2014-3468,CVE-2014-3469
Sources used:
SUSE CORE 9 (src):    gnutls-1.0.8-26.32
Comment 120 Bernhard Wiedemann 2016-04-15 10:30:15 UTC
This is an autogenerated message for OBS integration:
This bug (554084) was mentioned in
https://build.opensuse.org/request/show/25261 11.2 / gnutls
https://build.opensuse.org/request/show/50940 11.3:Test / gnutls
https://build.opensuse.org/request/show/51195 11.2:Test / gnutls