RE: Disable TLS renegotiation

[Lukas Tribus]

Hi Patrick,


 While going through the Qualys SSL test  
 (https://www.ssllabs.com/ssltest), one of the items it mentions is a  
 DoS vulnerability in regards to client-side initiated SSL renegotiation  
 (https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks).
   
 While researching the subject, it seems that the only reliable way to  
 mitigate the issue is in the server software. Apache has implemented  
 code to disable renegotiation. Would it be possible to add an option in  
 haproxy to disable it?

Looks like its already disabled by default?

https://www.ssllabs.com/ssltest/analyze.html?d=demo.1wt.eu

--- Secure Client-Initiated Renegotiation:
No
--- Insecure Client-Initiated Renegotiation:
No



Regards,

Lukas

  

Re: Disable TLS renegotiation

[Patrick Hemmer]

*From: *Lukas Tribus luky...@hotmail.com
*Sent: * 2014-05-16 13:23:43 E
*To: *Patrick Hemmer hapr...@stormcloud9.net, haproxy@formilux.org
haproxy@formilux.org
*Subject: *RE: Disable TLS renegotiation

 Hi Patrick,


 While going through the Qualys SSL test  
 (https://www.ssllabs.com/ssltest), one of the items it mentions is a  
 DoS vulnerability in regards to client-side initiated SSL renegotiation  
 (https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks).
   
 While researching the subject, it seems that the only reliable way to  
 mitigate the issue is in the server software. Apache has implemented  
 code to disable renegotiation. Would it be possible to add an option in  
 haproxy to disable it?
 Looks like its already disabled by default?

 https://www.ssllabs.com/ssltest/analyze.html?d=demo.1wt.eu

 --- Secure Client-Initiated Renegotiation:
   No
 --- Insecure Client-Initiated Renegotiation:
   No



 Regards,

 Lukas

 
Doh!

You're right, I screwed up the test when I ran it. Yes, it is disabled.
Sorry for the noise.

-Patrick