HAProxy version 1.4.18

stunnel 4.44 with X-Forwarded-For patch

OpenSSL 0.9.8k 25 Mar 2009

Ubuntu 10.04.3 LTS

 

I'm submitting this here rather than to stunnel's list as I'm not using
the most recent version of stunnel due to needing the X-Forwarded-For
patch.

 

When I scan my domain (https://haproxytest.therapeuticresearch.com)
using this tool:

 

https://www.ssllabs.com/ssldb/index.html

 

It reports this possible vulnerability:

 

"This server is easier to attack via DoS because it supports
client-initiated renegotiation"

 

With a link to this article:
http://blog.ivanristic.com/2011/10/tls-renegotiation-and-denial-of-servi
ce-attacks.html

 

I have been looking for a way to disable client-initiated renegotiation
on stunnel/openssl but haven't found a way. On the options description
here:

http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html

 

It mentions "NO_SESSION_RESUMPTION_ON_RENEGOTIATION" but that doesn't
sound like the same thing as disabling renegotiation. I tried that
option nonetheless and the SSL labs scan still reported the same
vulnerability.

 

This isn't a deal breaker, I was just curious if anyone else had run
into this and was concerned about it and/or knew of a way to disable
client-initiated renegotiation.

 

Thanks.

 

---

David Prothero

I.T. Director

Pharmacist's Letter / Prescriber's Letter

Natural Medicines Comprehensive Database

Ident-A-Drug / www.therapeuticresearch.com

 

(209) 472-2240 x231

(209) 472-2249 (fax)

 

Reply via email to