66225 – Lacking a check for the return value of SSL_renegotiate()

Bug 66225 - Lacking a check for the return value of SSL_renegotiate()

Summary: Lacking a check for the return value of SSL_renegotiate()

Status:	RESOLVED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_ssl (show other bugs)
Version:	2.5-HEAD
Hardware:	PC Mac OS X 10.1

Importance:	P2 critical (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:	PatchAvailable

Depends on:
Blocks:

Reported:	2022-08-17 06:19 UTC by UVScan
Modified:	2023-03-30 17:10 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description UVScan 2022-08-17 06:19:31 UTC

According to the descriptions of SSL_renegotiate(), it has two different return values.
But in httpd-2.4.53/modules/ssl/ssl_engine_kernel.c, we find it lacks a check for the return value of SSL_renegotiate().

Reference: https://www.openssl.org/docs/man1.1.1/man3/SSL_renegotiate.html

Comment 1 UVScan 2022-08-18 04:18:42 UTC

If httpd does not check the return value of SSL_renegotiate(), it could cause a DoS attack.

Since SSL renegotiation process needs many computing resources and the current httpd does not break the renegotiation process when the return value is 0 (for error), we can initiate many renegotiation requests to exhaust the resources of devices or services, causing a DoS attack.

Comment 2 Giovanni Bechis 2023-03-30 17:09:54 UTC

Fixed in r1908805.