Re: [TLS] TLS or HTTP issue? (was: TLS renegotiation issue)

Nicolas Williams <> Fri, 06 November 2009 17:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D38573A67EA for <>; Fri, 6 Nov 2009 09:42:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.017
X-Spam-Status: No, score=-6.017 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id eU6gc006Zin9 for <>; Fri, 6 Nov 2009 09:42:02 -0800 (PST)
Received: from (brmea-mail-1.Sun.COM []) by (Postfix) with ESMTP id 147373A6768 for <>; Fri, 6 Nov 2009 09:42:01 -0800 (PST)
Received: from ([]) by (8.13.6+Sun/8.12.9) with ESMTP id nA6HgPDY002513 for <>; Fri, 6 Nov 2009 17:42:25 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM []) by (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id nA6HgOCi025889 for <>; Fri, 6 Nov 2009 10:42:25 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost []) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id nA6HNOWL010198; Fri, 6 Nov 2009 11:23:24 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id nA6HNN85010197; Fri, 6 Nov 2009 11:23:23 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to using -f
Date: Fri, 6 Nov 2009 11:23:23 -0600
From: Nicolas Williams <>
To: Nikos Mavrogiannopoulos <>
Message-ID: <20091106172323.GY1105@Sun.COM>
References: <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.7i
Cc: Eric Rescorla <>, "" <>
Subject: Re: [TLS] TLS or HTTP issue? (was: TLS renegotiation issue)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 06 Nov 2009 17:42:02 -0000

This vulnerability will affect different application protocols
differently.  It certainly affects HTTP.  I think LDAP may not be
susceptible, but I'm not sure; I'm even less sure about IMAP.  Others
have indicated that there definitely exist other applications besides
HTTP which do suffer from this vulnerability though, and that's the key:
of course there may be more than one application protocol that is made
vulnerable by this TLS problem.

We must fix this problem in TLS itself.  The fix may require changes to
some applications, depending not so much on the protocol as on the TLS
API used.