I am trying to verify the SSL renegotiation vulnerability reported for one of our URLs by a vulnerability scanner. The scan report lists the SSL Renegotiation vulnerability as - 'Insecure Transport: SSLv3/TLS Renegotiation Stream Injection'
I cannot check the openssl version currently installed since I don't have access to this server yet, so I connected to the website using openssl s_client -connect www.example.com:443
. It said Secure Renegotiation IS supported
after the SSL Handshake. And when I sent the request for Renegotiation it says:
GET / HTTP/1.1
Host: www.example.com
R
RENEGOTIATING
140322948818112:error:140940F5:SSL routines:ssl3_read_bytes:unexpected record:../ssl/record/rec_layer_s3.c:1746:
Am I vulnerable to CVE-2009-3555?
When I ran a test on it from SSL Labs, it says:
- Secure Renegotiation : Supported
- Secure Client-Initiated Renegotiation : No
- Insecure Client-Initiated Renegotiation No
Since it says 'Secure Negotiation', does it mean that website is not vulnerable? Assuming the vulnerable version should say 'Insecure Negotiation : Supported' in SSL Labs.
Also, can I assume that all is safe since Client-Initiated Renegotiation is disabled? Or can the evil man-in-the-middle still push his malicious data if he/she waits for that moment when Server initiates the renegotiation?
P.S:- I tried to confirm the vulnerabilit by downloading and running the exploit '10579.py' from ExploitDB, but it gives the following error when I proxy my requests through the port opened by the exploit:
`handshake_settings = tlslite.HandshakeSettings.HandshakeSettings()
AttributeError: type object 'HandshakeSettings' has no attribute 'HandshakeSettings'`
But that is another discussion, just thought I will mention it here.