*From: *Lukas Tribus <luky...@hotmail.com> *Sent: * 2014-05-16 13:23:43 E *To: *Patrick Hemmer <hapr...@stormcloud9.net>, haproxy@formilux.org <haproxy@formilux.org> *Subject: *RE: Disable TLS renegotiation
> Hi Patrick, > > >> While going through the Qualys SSL test >> (https://www.ssllabs.com/ssltest), one of the items it mentions is a >> DoS vulnerability in regards to client-side initiated SSL renegotiation >> (https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks). >> >> While researching the subject, it seems that the only reliable way to >> mitigate the issue is in the server software. Apache has implemented >> code to disable renegotiation. Would it be possible to add an option in >> haproxy to disable it? > Looks like its already disabled by default? > > https://www.ssllabs.com/ssltest/analyze.html?d=demo.1wt.eu > > ---> Secure Client-Initiated Renegotiation: > No > ---> Insecure Client-Initiated Renegotiation: > No > > > > Regards, > > Lukas > > Doh! You're right, I screwed up the test when I ran it. Yes, it is disabled. Sorry for the noise. -Patrick