sunhux
asked on
SSL/TLS renegotiation vulnerability: how to disable on webservers & mitigations
I think this vulnerability has CVE# CVE-2009-3555.
Q1:
Besides IPS (which some vendor don't have signatures for it as I was told the nature of
detection logic is still rather lacking though I don't know how Deep Security managed
to produce a signature for it in 2009), what are the ways to mitigate?
Q2:
I was told web servers with ssl/openssl can be configured such that they are not vulnerabile.
Kindly provide detailed steps on how to do this for Apache (& Oracle Web server) & IIS
Q3:
I was told modern browsers are protected against it: kindly let me know any specific settings
we need to set in IE, Firefox & Chrome to protect against this or is this something built into
the browser?
L09 - SSL / TLS renegotiation vulnerability
==========================
The server encrypts traffic using SSL / TLS, but allows a client to renegotiate the connection after the initial handshake. As the server does not appear to limit the number of renegotiations for a single SSL / TLS connection, a client may open several simultaneous connections and repeatedly renegotiate them, which may possibly lead to a DoS condition
Q1:
Besides IPS (which some vendor don't have signatures for it as I was told the nature of
detection logic is still rather lacking though I don't know how Deep Security managed
to produce a signature for it in 2009), what are the ways to mitigate?
Q2:
I was told web servers with ssl/openssl can be configured such that they are not vulnerabile.
Kindly provide detailed steps on how to do this for Apache (& Oracle Web server) & IIS
Q3:
I was told modern browsers are protected against it: kindly let me know any specific settings
we need to set in IE, Firefox & Chrome to protect against this or is this something built into
the browser?
L09 - SSL / TLS renegotiation vulnerability
==========================
The server encrypts traffic using SSL / TLS, but allows a client to renegotiate the connection after the initial handshake. As the server does not appear to limit the number of renegotiations for a single SSL / TLS connection, a client may open several simultaneous connections and repeatedly renegotiate them, which may possibly lead to a DoS condition
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Correction:
Was told by Redhat they don't release patches for it (ie for RHEL 5.x)
though they did release patches for RHEL 6.x for Apache
Was told by Redhat they don't release patches for it (ie for RHEL 5.x)
though they did release patches for RHEL 6.x for Apache
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
they don't release patches for it, so have to do a certain configuration in
Apache to address it, any idea how this is done?