Security Advisory for Covalent SSL Customers

By Wayne Kawamoto (Send Email)
Posted Aug 14, 2002


RSA Security has issued an advisory for RSA's SSL-C libraries, which are used in Covalent's SSL products.

Products Affected: All releases of Covalent SSL for Apache 1.3 and Apache 2.0 platforms:

  • Covalent SSL 1.5.x - 1.6
  • Covalent FastStart 2.x - 3.x
  • Covalent Managed Server
  • Covalent Secure Server
  • Covalent Enterprise Ready Server
Description
On August 8, 2002, RSA Security released a RSA SecureCare alert regarding vulnerabilities in the RSA BSAFE SSL libraries. Covalent has determined that the RSA BSAFE Libraries used by Covalent SSL products are affected by these vulnerabilities. RSA has described three separate classes of vulnerabilities, two of which may impact Covalent customers. Vulnerability 1: Buffer overflow in SSL V2 client key processing, originally described in CAN-2002-0656. This is only a concern if SSL V2 processing is enabled; see instructions below to disable SSL V2 processing in Covalent products. Vulnerability 2: Incorrect parsing of malformed client certificate data, caused by errors in the ANS.1 libraries (CAN-2002-0659). This is only a concern if client certificate processing is enabled, which is rarely implemented by customers. The third vulnerability announced by RSA affects only 64-bit programs running on 64-bit operating systems; no Covalent products are currently compiled in 64-bit mode. RSA Security has issued an advisory for RSA's SSL-C libraries, which are used in Covalent's SSL products.

Covalent Response
Covalent recommends that all Covalent SSL customers disable SSL V2 processing. SSL V2 is an older version of SSL that is rarely used by modern browsers; these browsers generally use either SSL v3 or TLS, neither of which is affected. To disable SSL V2 processing, modify the SSLCipherSuite directive(s) in your httpsd.conf file to read as follows:

    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP:+eNULL:!SHA 

CMP users should click the Edit icon under the Crytpographic Security - SSL on the VHOST properties page, and enter the following string into the SSL Handshake Cyphers text box:

    ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP:+eNULL:!SHA

Covalent customers using client certification authentication should contact Covalent support for further information. Covalent expects to provided updated SSL modules beginning the week of August 26th that will contain the long-term solution for these vulnerabilities. If you have additional questions, please contact Covalent at support@covalent.net, or log an incident through your on-line support console.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.