I tested my server against cryptographic attacks and I have a few major and minor issues. However I would like to know how can I mitigate and protect against such vulnerability warning:
Secure Client-Initiated Renegotiation - DoS DANGER
Asked
Active
Viewed 1.1k times
1 Answers
5
how can I mitigate and protect against such vulnerability warning
Well, generally speaking, everybody knows that defending against DoS attacks -whatever their nature is- is a difficult and expensive thing to achieve. Coming back to your essential problem, it happens when an attacker overwhelms your server with secure connection requests leading it to consume more CPU resources. This problem is called TLS renegotiation MITM and was first discovered on 2009 exploiting a flaw in the TLS v.1/SSL v.3 stack layers before RFC 5746 and its implementations appeared. Before that, several patches were applied more or less genuinely.
So right now, I suppose your OpenSSL version is outdate. You can update it to at least to OpenSSL version 0.9.8m release or newer (but OpenSSL versions 1.0.1 through 1.0.1f and OpenSSL 1.0.2-beta are affected by the HeartBleed problem).
Whether you are using Apache (recent versions), IIS or any other product that supports the client-initiated renegotiation feature, please disable it (it is often their by default).
If you know to know more about how this vulnerability, please refer to this: SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection- medium or low risk?. Also, may be you are interested in reading about the first tool developed for this type of DoS attack.
-
Heartbeat extension wasn't backported to the previous OpenSSL branches, it only exists in several OpenSSL 1.0.1 releases and 1.0.2 beta. – Adm Selec Aug 07 '15 at 06:46
-
@AdmSelec I checked that, you are right. Thank you very much for the rectification. I edited the answer. – Aug 07 '15 at 06:49
-
I have a Windows Server with Apache 2.4 and OpenSSL 1.1.1a How do I disable Secure Client-Initiated renegotiation on that server? – skt7 Jun 20 '19 at 09:28