I don't see any 'proper' way to disable only client renegotation, in any version.
It looks like you could set OP_NO_RENEGOTIATE_CIPHERS and then bypass the check in SSL_renegotiate -> ssl3_renegotiate by doing the simple-ish equivalent yourself. But that's (1) not tested (2) *really* ugly and (3) could easily break in the future. What exactly do they think is the "security problem"? 'legacy' renegotiation by MITMed client was an actual risk - of misapplied authentication allowing unauthorized action - only when combined with an application that used client-auth and wasn't careful about the boundary of that authentication, particularly Apache. Some newer CVEs claim even 5746 renegotiation by hostile client as a DoS threat, because the privatekey operation(s) required during full handshake are expensive (with reasonable security parameters and without special hardware). But this is no more costly than initial negotiation; the only difference is that some obvious defensive measures, like limiting or counting and rejecting connections, cannot (easily) be applied to renegotiation. Does your phone use client-auth at all, and if so carelessly? Does your phone need to worry about DoS, and address it (at least partially) by rate-limiting connections? Only if at least one of these is 'yes' is renegotiation a "security problem" for you. From: <mailto:owner-openssl-us...@openssl.org> owner-openssl-us...@openssl.org [ <mailto:owner-openssl-us...@openssl.org> mailto:owner-openssl-us...@openssl.org] On Behalf Of Simner, John Sent: Tuesday, October 22, 2013 10:10 To: <mailto:openssl-users@openssl.org> openssl-users@openssl.org Subject: Disabling Client Initiated renegotiation in 0.9.8 Hi, Following my previous question, is it possible on OpenSSL 0.9.8 to have secure renegotiation but turn off client initiated renegotiation. If so, how? If not, is it available in later versions of OpenSSL? The customer has scanned the phone and the scanner has reported a security problem with having client initiated renegotiation. Look forward to your responses. Thanks.. John
