secure_client_renego

 
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
tfh
-


Joined: 03 May 2020
Posts: 112
Location: Netherlands

PostPosted: Mon Aug 15, 2022 9:24 pm    Post subject: secure_client_renego Reply with quote

When doing some test on my website, https://www.ssltrust.com.au/ tells me that my server is at risk for secure_client_renego, or better: SSL Renogotation vulnerability.
Should I be worried?
_________________
https://www.arnauddeklerk.com
https://www.file-hunter.com
Back to top View user's profile Send private message Visit poster's website
Horizon
-


Joined: 18 Feb 2022
Posts: 54

PostPosted: Wed Aug 17, 2022 3:39 am    Post subject: Reply with quote

According to websites like StackExchange, the worst that could happen would be data leaks.

But the CVE (vulnerability report number) is from 2009, and there has been so many security updates to OpenSSL since then.

So I got no doubt that the OpenSSL developers fixed that vulnerability long ago already.

So with the worst put aside, the client renegociation & the secure client renegociation seem to only be capable of enabling DoS attacks.

DoS attacks that use it are basically malicious TLS clients that spam your server with tons of TLS renegociation messages.

The server when renegociating does more work than the client, so the client could spam faster than the server is able to complete renegociation requests.

The worst that could happen is your server no longer being able to hande so many TLS renegociations, and no longer serving TLS sessions to other legitimate visitors.

It's also possible for the servers to refuse renegociation requests from the TLS clients.
Servers can decide to only allow renegociation when they themselves want to do it.

If you're behind a frontend like Cloudflare, or if you don't usually get DoS traffic, you should be fine.

However it might be a good idea to mail Aprelium to ask what the developers think of adding a 'server-only renegociation' option - to refuse client-initiated renegociation requests.

I don't know what would happen if renegociation was directly disabled, but it could perhaps cause problems with Reverse-Proxy over HTTPS like random disconnects & reconnects if a new TLS session has to be made instead of renewing the existing one? (like Abyss on PC-A to Abyss on PC-B kinds of Reverse-Proxying).

So, what I've read is that this could make a server vulnerable to DoS attacks to consume all your available TLS processing power for lots of useless renegociations (legitimate visitors would not be able to connect).

Whether you should be worried about DoS attacks depends on whether the availability of your service is critical.

Parcel delivery services will probably treat DoS attacks against their servers as a serious threat, when the job is to work against the clock with nearly-constant availability.

Otherwise, a simple hardware monitoring like CPU temperature & things that can physically be affected by that kind of DoS incidents should work well enough.
Back to top View user's profile Send private message
admin
Site Admin


Joined: 03 Mar 2002
Posts: 1295

PostPosted: Wed Sep 28, 2022 9:37 pm    Post subject: Re: secure_client_renego Reply with quote

tfh wrote:
When doing some test on my website, https://www.ssltrust.com.au/ tells me that my server is at risk for secure_client_renego, or better: SSL Renogotation vulnerability.
Should I be worried?


If you have old ciphers or protocols (<= TLS 1.1) still enabled, this makes sense.

Would it be possible to share the full output of the report for a better advice on how to harden your setup?
_________________
Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com
Back to top View user's profile Send private message
tfh
-


Joined: 03 May 2020
Posts: 112
Location: Netherlands

PostPosted: Thu Sep 29, 2022 2:26 pm    Post subject: Reply with quote

Well, I'm using the most recent Abyss, so TLS 1.3.
The best way to get the full report is by going here:
https://www.ssltrust.com.au/ssl-tools/website-security-check?domain=www.arnauddeklerk.com
You'll need to be patient, as it takes quite some time to run all the checks.
_________________
https://www.arnauddeklerk.com
https://www.file-hunter.com
Back to top View user's profile Send private message Visit poster's website
admin
Site Admin


Joined: 03 Mar 2002
Posts: 1295

PostPosted: Thu Nov 10, 2022 10:46 pm    Post subject: Reply with quote

tfh wrote:
Well, I'm using the most recent Abyss, so TLS 1.3.
The best way to get the full report is by going here:
https://www.ssltrust.com.au/ssl-tools/website-security-check?domain=www.arnauddeklerk.com
You'll need to be patient, as it takes quite some time to run all the checks.


The situation is not clear and needs further inquiry.

Another test from Qualys SSL lists the client renegotiation as two items :

https://www.ssllabs.com/ssltest/analyze.html?d=aprelium.com&hideResults=on

Code:

Secure Renegotiation   Supported
Secure Client-Initiated Renegotiation   Yes
Insecure Client-Initiated Renegotiation   No


And there is nothing bad in aprelium.com's settings for SSL here while the Aussies' test reports the same error as your site's.

We will check with our developers and get back to you with more details.
_________________
Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com
Back to top View user's profile Send private message
tfh
-


Joined: 03 May 2020
Posts: 112
Location: Netherlands

PostPosted: Sat Nov 12, 2022 4:11 pm    Post subject: Reply with quote

admin wrote:
tfh wrote:
Well, I'm using the most recent Abyss, so TLS 1.3.
The best way to get the full report is by going here:
https://www.ssltrust.com.au/ssl-tools/website-security-check?domain=www.arnauddeklerk.com
You'll need to be patient, as it takes quite some time to run all the checks.


The situation is not clear and needs further inquiry.

Another test from Qualys SSL lists the client renegotiation as two items :

https://www.ssllabs.com/ssltest/analyze.html?d=aprelium.com&hideResults=on

Code:

Secure Renegotiation   Supported
Secure Client-Initiated Renegotiation   Yes
Insecure Client-Initiated Renegotiation   No


And there is nothing bad in aprelium.com's settings for SSL here while the Aussies' test reports the same error as your site's.

We will check with our developers and get back to you with more details.

Great... Looking forward to hearing their feedback ;)
_________________
https://www.arnauddeklerk.com
https://www.file-hunter.com
Back to top View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group