HAProxy version 1.4.18 stunnel 4.44 with X-Forwarded-For patch
OpenSSL 0.9.8k 25 Mar 2009 Ubuntu 10.04.3 LTS I'm submitting this here rather than to stunnel's list as I'm not using the most recent version of stunnel due to needing the X-Forwarded-For patch. When I scan my domain (https://haproxytest.therapeuticresearch.com) using this tool: https://www.ssllabs.com/ssldb/index.html It reports this possible vulnerability: "This server is easier to attack via DoS because it supports client-initiated renegotiation" With a link to this article: http://blog.ivanristic.com/2011/10/tls-renegotiation-and-denial-of-servi ce-attacks.html I have been looking for a way to disable client-initiated renegotiation on stunnel/openssl but haven't found a way. On the options description here: http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html It mentions "NO_SESSION_RESUMPTION_ON_RENEGOTIATION" but that doesn't sound like the same thing as disabling renegotiation. I tried that option nonetheless and the SSL labs scan still reported the same vulnerability. This isn't a deal breaker, I was just curious if anyone else had run into this and was concerned about it and/or knew of a way to disable client-initiated renegotiation. Thanks. --- David Prothero I.T. Director Pharmacist's Letter / Prescriber's Letter Natural Medicines Comprehensive Database Ident-A-Drug / www.therapeuticresearch.com (209) 472-2240 x231 (209) 472-2249 (fax)
