even with stls this is not the case ! the permission is denied after an
initial relay has been made to an arbitrary server.
therefore the delegate master process still is vulnerable to ddos ! :-(
greetz martin papadopoulos
email@example.com (Yutaka Sato)
Bitte antworten an
Re: [DeleGate-En:3553] delegate security flaw [Virus checked]
you firstname.lastname@example.org wrote:
|i recently discovered a security flaw which is related to the delegate
|allthough using a filter like FCL="sslway ..... -Vrfy" , when running in
|master mode , clients which are rejected by the ssl-layer, still
|cause delegate to open a connection to a destination server , this can
|has been used to accomplish ddos . the FCL should reject the connection
|establishment to an arbitrary server , before rejecting the ssl
|. in case you need log files for forensik analysis, i will post them.
|now, i strongly
|recommend everyone to shut down delegate master services until this one
Maybe you are using a version of DeleGate older than DeleGate/9.2.5-pre7.
As written in <URL:http://www.delegate.org/delegate/tls/> after
I'm shifting to STLS=fcl,fsv instead obsoleted FCL,FSV=sslway in the
versions. In fact, FCL,FSV=sslway for MASTER is disabled in 9.2.5-pre7.
With STLS=fcl, the whole communication between DeleGates is encrypted with
SSL, so if the SSL-layer is not established, no father action will be
Chaining DeleGates with MASTER and STLS can be done as follows.
a% delegated -Pa:8888 STLS=fcl
b% delegated -Pb:8023 STLS=fsv MASTER=a:8888 SERVER=telnet
You can use authentication by client-side certificate as follows:
a% delegated -Pa:8888 STLS="fcl,sslway -Vrfy"
b% delegated -Pb:8023 STLS="fsv,sslway -cert file" MASTER=a:8888
Now the latest pre-release version of DeleGate has become 9.2.5-pre19
is almost ready to be released as an official version DeleGate/9.2.5
to be released tomorrow <URL:http://delegate.org/mail-lists/delegate/13534
So you are strongly recommended to use the latest version of DeleGate with
9 9 Yutaka Sato <email@example.com> http://delegate.org/y.sato/
( ~ ) National Institute of Advanced Industrial Science and Technology
_< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller