*From: *Lukas Tribus luky...@hotmail.com
*Sent: * 2014-05-16 13:23:43 E
*To: *Patrick Hemmer hapr...@stormcloud9.net, haproxy@formilux.org
haproxy@formilux.org
*Subject: *RE: Disable TLS renegotiation
Hi Patrick,
While going through the Qualys SSL test
(https://www.ssllabs.com/ssltest), one of the items it mentions is a
DoS vulnerability in regards to client-side initiated SSL renegotiation
(https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks).
While researching the subject, it seems that the only reliable way to
mitigate the issue is in the server software. Apache has implemented
code to disable renegotiation. Would it be possible to add an option in
haproxy to disable it?
Looks like its already disabled by default?
https://www.ssllabs.com/ssltest/analyze.html?d=demo.1wt.eu
--- Secure Client-Initiated Renegotiation:
No
--- Insecure Client-Initiated Renegotiation:
No
Regards,
Lukas
Doh!
You're right, I screwed up the test when I ran it. Yes, it is disabled.
Sorry for the noise.
-Patrick