Bug 48157 - describe how to disable X-Header trick to attack client cert auth
Summary: describe how to disable X-Header trick to attack client cert auth
Status: RESOLVED WONTFIX
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Connector:Coyote (show other bugs)
Version: Unknown
Hardware: All All
: P2 critical (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-07 08:04 UTC by Ralf Hauser
Modified: 2009-11-09 07:44 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ralf Hauser 2009-11-07 08:04:00 UTC
as per http://extendedsubset.com/Renegotiating_TLS.pdf p. 4:


Is there a way to disable X-Headers with GET like paths in coyote - is so, describe in http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

see also bug 3463 and http://forums.sun.com/thread.jspa?messageID=10857837
Comment 1 Ralf Hauser 2009-11-07 08:09:41 UTC
see also Bug 48158
Comment 2 Mark Thomas 2009-11-07 09:09:42 UTC
Chances are any attempt to filter these out could be defeated and there is always a risk of a false positive. In addition, there may be other, more complex, attack vectors that would not be blocked.

I just kicked off a discussion on the dev list. Feel free to join in there.
Comment 3 Ralf Hauser 2009-11-09 04:06:08 UTC
Since we do not really have the option use "APR/Native" and we would be happy to have X-Header fixing heuristics as another optional server.xml attribute.
You fear in comment 2 that there are other more complex attack vectors, but if we can, shouldn't we fix the immediate and obvious ones all the same - even if we can't guarantee that there aren't worse, but also more complex attack vectors.

We happily offer to test and report at least for our setup.
Comment 4 Konstantin Kolinko 2009-11-09 05:12:13 UTC
If you really want something like that, you can write a Filter or a Valve. See org.apache.catalina.valves.RequestDumperValve for an example.

http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
Comment 5 Mark Thomas 2009-11-09 06:08:15 UTC
My current understanding is that a filter/valve as proposed will do very little to mitigate this attack as the SSL handshaking occurs at the JSSE level and is simply not visible to the BIO & NIO connector code.