[upki-odcert:40] Re: SSL/TLS$B%j%M%4%7%(!<%7%g%s(B$BLdBj$K$D$$$F!J%5!<%PJT!K(B

Subject: [upki-odcert:40] Re: SSL/TLS$B%j%M%4%7%(!<%7%g%s(B$BLdBj$K$D$$$F!J%5!<%PJT!K(B
Date: Tue, 13 Apr 2010 15:24:35 +0900
From: Takeshi NISHIMURA <xxxxxxx@xxxxxxxxx>

$B@>B<$G$9!#(B

TLS$B%j%M%4%7%(!<%7%g%s@Hu67$r$^$H$a$F$_$^$7$?!#(B
$B%5!<%PJT$G$9!#(B

$B$$$/$D$+$N%5!<%P$K$O@HMh$N(B(RFC 5746
$BHsuBV$KLa$j$^$9$N$G!"I,MW$J(B
$B>l9g$K8B$jI,MW:G>.8B$N4|4V$@$1M-8z$K$9$k$3$H$r$*4+$a$7$^$9!#(B

$BA02s$N%j%s%/=8$KDI2C$7$^$9!#http://www.ipa.go.jp/security/fy21/reports/tech1-tg/b_02.html
http://soatruth.blogspot.com/2009/12/really-understanding-ssltls.html
http://itpro.nikkeibp.co.jp/article/COLUMN/20100309/345523/
  OpenSSL 0.9.8m$B%j%j!<%9!J(B2010/02/25$B!K(B
https://rhn.redhat.com/errata/RHSA-2010-0162.html
  openssl
https://rhn.redhat.com/errata/RHSA-2010-0166.html
  gnutls
https://rhn.redhat.com/errata/RHSA-2010-0165.html
  nss
http://java.sun.com/javase/javaseforbusiness/docs/TLSReadme.html
  Java

$B%5!<%P(B:
http://www.apache.org/dist/httpd/CHANGES_2.2.15
http://arstechnica.com/microsoft/news/2010/02/microsoft-warns-of-tslssl-flaw-in-windows.ars
http://itpro.nikkeibp.co.jp/article/COLUMN/20100316/345836/
  Apache HTTP$B%5!<%P!<(B2.2.15$B%j%j!<%9!J(B2010/03/06$B!K(B
http://kbase.redhat.com/faq/docs/DOC-20491
  Red Hat Enterprise Linux$B%"%C%W%G!<%H8x3+$K9g$o$;$F99?7$5$l$F$$$^$9(B
https://rhn.redhat.com/errata/RHSA-2010-0168.html


On 2010/03/03, at 3:08, Takeshi NISHIMURA wrote:

> $B@>B<$G$9!#(B
> 
> 2009$BG/(B11$B7n$K8x3+$K$J$C$?!"(BSSL/TLS$B%W%m%H%3%k$N%j%M%4%7%(!<%7%g%s(B
> (renegotiation, $B:F%M%4%7%(!<%7%g%s(B)$B$NLdBj$K$D$$$F!"3F%V%i%&%6(B
> $B$G$NBP1~$b=P$F$-$?$h$&$G$9$,!"$R$H$^$:;d$,=8$a$?%j%s%/$rDs6!$7$^$9!#(B
> 
> $BA4BN(B:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
> https://www.kb.cert.org/vuls/id/120541
> http://www.st.ryukoku.ac.jp/~kjm/security/memo/2009/11.html#20091106_TLS
> 
> $Bhttp://www.phonefactor.com/sslgap
> http://www.openssl.org/news/secadv_20091111.txt
> http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.html
> http://blogs.iss.net/archive/stealingcookieswiths.html
> http://www.g-sec.lu/practicaltls.pdf
> http://www.tombom.co.uk/blog/?p=85
> http://www.schneier.com/blog/archives/2009/12/reacting_to_sec.html
> http://www.st.ryukoku.ac.jp/~kjm/security/ml-archive/full-disclosure/2009.11/msg00062.html
> http://www.jpcert.or.jp/wr/2009/wr094401.html#3
> http://japan.cnet.com/news/sec/story/0,2000056024,20403071,00.htm
> http://www.itmedia.co.jp/enterprise/articles/0911/09/news015.html
> http://www.itmedia.co.jp/enterprise/articles/0911/17/news021.html
> https://www.netsecurity.ne.jp/1_14422.html
> 
> $Bhttp://www.rfc-editor.org/rfc/rfc5746.txt
> OpenSSL
>  http://www.openssl.org/news/changelog.html
>  http://cvs.openssl.org/fileview?f=openssl-web/news/announce.txt&v=1.52
>  http://cvs.openssl.org/fileview?f=openssl-web/news/announce.txt&v=1.53
> Firefox
>  https://developer.mozilla.org/NSS_3.12.5_release_notes
>  https://wiki.mozilla.org/Security:Renegotiation
>  https://bugzilla.mozilla.org/show_bug.cgi?id=535649
>  ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-central/
>  https://ssltls.de/renego.php
>  https://bugzilla.mozilla.org/show_bug.cgi?id=526689
>  https://bugzilla.mozilla.org/show_bug.cgi?id=537356
> Opera
>  http://my.opera.com/securitygroup/blog/2010/01/23/alpha-testing-tls-renego-fix
> Red Hat
>  http://kbase.redhat.com/faq/docs/DOC-20491
>  https://rhn.redhat.com/errata/RHSA-2009-1579.html
>  https://rhn.redhat.com/errata/RHSA-2010-0011.html
>  https://rhn.redhat.com/errata/RHSA-2009-1580.html
>  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3555
> Ubuntu
>  http://www.ubuntu.com/usn/USN-860-1
>  http://gihyo.jp/admin/clip/01/ubuntu-topics/200911/0027
> FreeBSD
>  http://security.freebsd.org/advisories/FreeBSD-SA-09:15.ssl.asc
> OpenBSD
>  http://openbsd.org/errata46.html#004_openssl
>  http://openbsd.org/errata45.html#010_openssl
> Solaris$BB>(B
>  http://blogs.sun.com/security/entry/vulnerability_in_tls_protocol_during
>  http://jp.sunsolve.sun.com/search/document.do?assetkey=1-66-273029-1
>  http://jp.sunsolve.sun.com/search/document.do?assetkey=1-66-273350-1
>  http://jp.sunsolve.sun.com/search/document.do?assetkey=1-66-274990-1
>  http://software.fujitsu.com/jp/security/vulnerabilities/vu120541.html
> Windows
>  http://blogs.technet.com/srd/archive/2010/02/09/details-on-the-new-tls-advisory.aspx
>  http://support.microsoft.com/kb/977377/ja
> Mac OS X
>  http://support.apple.com/kb/HT4004?viewlocale=ja_JP&locale=ja_JP
>  http://itpro.nikkeibp.co.jp/article/COLUMN/20100127/343809/
> http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-002319.html
> http://www.phonefactor.com/sslgap/ssl-tls-authentication-patches

-- 
$B@>B<7r(B
$B9qN)>pJs3X8&5f=j(B TEL:03-4212-2720

References:
- [upki-odcert:25] SSL/TLS$B%j%M%4%7%(!<%7%g%sLdBj(B$B$K$D$$$F(B
  - From: Takeshi NISHIMURA

Prev by Date: [upki-odcert:39] Re: [upki-odcert:38] Re: SSL/TLS$B%j%M%4%7%(!<%7%g%sLdBj$K$D$$$F(B$B!J3NG'J}K!!K(B
Next by Date: [upki-odcert:41] Re: SSL/TLS$B%j%M%4%7%(!<%7%g%s(B$BLdBj$K$D$$$F!J%V%i%&%6JT!K(B
Previous by thread: [upki-odcert:39] Re: [upki-odcert:38] Re: SSL/TLS$B%j%M%4%7%(!<%7%g%sLdBj$K$D$$$F(B$B!J3NG'J}K!!K(B
Next by thread: [upki-odcert:41] Re: SSL/TLS$B%j%M%4%7%(!<%7%g%s(B$BLdBj$K$D$$$F!J%V%i%&%6JT!K(B
Index(es):
- Date
- Thread

[upki-odcert:40] Re: SSL/TLS$B%j%M%4%7%(!<%7%g%s(B$BLdBj$K$D$$$F!J%5!<%PJT!K(B

[upki-odcert:40] Re: SSL/TLS$B%j%M%4%7%(!<%7%g%s(B$BLdBj$K$D$$$F!J%5!<%PJT!K(B