I am getting the following error on one of my fidelity pages:
scs.fidelity.com : server does not support RFC 5746, see CVE-2009-3555
I googled "CVE-2009-3555" which reveled the following:
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
In my case this means I have a function that will not load from the fidelity website. And from reading this, maybe a "man in the middle" vulnerability.
Does anyone know if this has been fixed? This would appear to be SSL or OS related from the description, so Firefox and Mono or Moonlight wouldn't seem to be the correct locations for a bug report, and since it is a "known" hazard, the bug must have already been reported. So my question is what should I do to rectify the situation? Les H
On 03/06/2011 10:25 PM, les wrote:
I am getting the following error on one of my fidelity pages:
scs.fidelity.com : server does not support RFC 5746, see CVE-2009-3555
I googled "CVE-2009-3555" which reveled the following:
This was fixed in openssl 0.9.8n and later sometime in spring of 2010 - sounds like fidelity web server needs to be updated. You could try a more forgiving browser and see if you make any further progress.
They seem to be running FWS/7.0 (private name if not private build of something) - updated may 2010 and again in feb 2011 .. no idea if their server has updated ssl patches. Looks like you need to ask fidelity.
gene/
Sounds to me that Firefox is "protecting" you from this exploit by preventing the connection. Perhaps it's being a bit over-protective, and should allow you to override it like an expired/self-signed SSL Certificate. The actual problem is most likely the scs.fidelity.com web server however.
On 03/06/2011 10:25 PM, les wrote:
I am getting the following error on one of my fidelity pages:
scs.fidelity.com : server does not support RFC 5746, see CVE-2009-3555
I googled "CVE-2009-3555" which reveled the following:
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
In my case this means I have a function that will not load from the fidelity website. And from reading this, maybe a "man in the middle" vulnerability.
Does anyone know if this has been fixed? This would appear to be SSL or OS related from the description, so Firefox and Mono or Moonlight wouldn't seem to be the correct locations for a bug report, and since it is a "known" hazard, the bug must have already been reported. So my question is what should I do to rectify the situation? Les H
On Sun, Mar 6, 2011 at 8:25 PM, les hlhowell@pacbell.net wrote:
I am getting the following error on one of my fidelity pages:
scs.fidelity.com : server does not support RFC 5746, see CVE-2009-3555
As a fellow Fidelity user, you need to do one thing first:
Upgrade Firefox to the latest version and try again. If you still cannot connect to Fidelity, contact them at the 1-800 (toll free) service number and talk to them.
To let you know, I have no issues connecting to their site with Firefox 3.1.16 (whatever the release was this weekend) as I had to log on to change my e-mail address.
James McKenzie
-
Chris Kloiber -
Genes MailLists -
Howard Howell -
James McKenzie