HAProxy version 1.4.18
stunnel 4.44 with X-Forwarded-For patch
OpenSSL 0.9.8k 25 Mar 2009
Ubuntu 10.04.3 LTS
I'm submitting this here rather than to stunnel's list as I'm not using the most recent version of stunnel due to needing the X-Forwarded-For patch.
When I scan my domain (https://haproxytest.therapeuticresearch.com) using this tool:
https://www.ssllabs.com/ssldb/index.html
It reports this possible vulnerability:
"This server is easier to attack via DoS because it supports client-initiated renegotiation"
With a link to this article:
http://blog.ivanristic.com/2011/10/tls-renegotiation-and-denial-of-servi
ce-attacks.html
I have been looking for a way to disable client-initiated renegotiation on stunnel/openssl but haven't found a way. On the options description here:
http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
It mentions "NO_SESSION_RESUMPTION_ON_RENEGOTIATION" but that doesn't sound like the same thing as disabling renegotiation. I tried that option nonetheless and the SSL labs scan still reported the same vulnerability.
This isn't a deal breaker, I was just curious if anyone else had run into this and was concerned about it and/or knew of a way to disable client-initiated renegotiation.
Thanks.
--- David Prothero I.T. Director Pharmacist's Letter / Prescriber's Letter Natural Medicines Comprehensive Database Ident-A-Drug / www.therapeuticresearch.comReceived on 2011/11/02 21:34
(209) 472-2240 x231
(209) 472-2249 (fax)
This archive was generated by hypermail 2.2.0 : 2011/11/02 21:45 CET