2

I am trying to verify the SSL renegotiation vulnerability reported for one of our URLs by a vulnerability scanner. The scan report lists the SSL Renegotiation vulnerability as - 'Insecure Transport: SSLv3/TLS Renegotiation Stream Injection'

I cannot check the openssl version currently installed since I don't have access to this server yet, so I connected to the website using openssl s_client -connect www.example.com:443. It said Secure Renegotiation IS supported after the SSL Handshake. And when I sent the request for Renegotiation it says:

GET / HTTP/1.1
Host: www.example.com
R
RENEGOTIATING

140322948818112:error:140940F5:SSL routines:ssl3_read_bytes:unexpected record:../ssl/record/rec_layer_s3.c:1746:

Am I vulnerable to CVE-2009-3555?

When I ran a test on it from SSL Labs, it says:

  • Secure Renegotiation : Supported
  • Secure Client-Initiated Renegotiation : No
  • Insecure Client-Initiated Renegotiation No

Since it says 'Secure Negotiation', does it mean that website is not vulnerable? Assuming the vulnerable version should say 'Insecure Negotiation : Supported' in SSL Labs.

Also, can I assume that all is safe since Client-Initiated Renegotiation is disabled? Or can the evil man-in-the-middle still push his malicious data if he/she waits for that moment when Server initiates the renegotiation?

P.S:- I tried to confirm the vulnerabilit by downloading and running the exploit '10579.py' from ExploitDB, but it gives the following error when I proxy my requests through the port opened by the exploit:

   `handshake_settings = tlslite.HandshakeSettings.HandshakeSettings()
AttributeError: type object 'HandshakeSettings' has no attribute 'HandshakeSettings'`

But that is another discussion, just thought I will mention it here.

Sreeraj
  • 1,297
  • 1
  • 13
  • 21

0 Answers0