I am trying to verify whether I am vulnerable to the OpenSSL TLS renegotiation vulnerability CVE-2021-3449 (fixed in OpenSSL 1.1.1k).
When I connect to the website using openssl s_client -tls1_2 -connect example.com:443
, it says "Secure Renegotiation IS supported". When I then send the request for renegotiation, it disconnects:
$ openssl s_client -tls1_2 -connect example.com:443
[...]
---
GET / HTTP/1.1
R
RENEGOTIATING
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = <my domain>
verify return:1
write:errno=0
I first tried without sending data first, but figured it might want some data before accepting the renegotiation. Either way, though, it disconnects. In Wireshark I see three encrypted handshake messages: first me to server, then server to me, then me to server. Before the last one, the server already sent me a FIN+ACK and so I get a RST packet back in the end, though my system also sends a FIN+ACK.
When I ran a test on it from SSL Labs, it says:
- Secure Renegotiation Supported
- Secure Client-Initiated Renegotiation No
- Insecure Client-Initiated Renegotiation No
Does that mean I am safe since since Client-Initiated Renegotiation is disabled? I don't know when or why my web server would ever choose to renegotiate of its own accord. A PoC that I can test against my server would also be appreciated.