Questions tagged [secure-renegotiation]
20 questions
104
votes
7 answers
Is MD5 considered insecure?
After all these articles circulating online about md5 exploits, I am considering switching to another hash algorithm. As far as I know it's always been the algorithm of choice among numerous DBAs. Is it that much of a benefit to use MD5 instead of…
Tawfik Khalifeh
- 2,532
- 6
- 22
- 27
19
votes
4 answers
How can you check and analyze SSL ports other than 443?
I tried
https://www.ssllabs.com/ssltest/analyze.html?d=imap.spamarrest.com%3A993&hideResults=on
but it said
Ports other than 443 not supported
I need to check imap.spamarrest.com:993
Chloe
- 1,668
- 3
- 15
- 30
19
votes
3 answers
Should I use SSL/TLS renegotiation?
Should I use SSL/TLS renegotiation? In other words: does SSL/TLS renegotiation enhance or weaken the security?
Jim
- 341
- 1
- 2
- 5
6
votes
1 answer
How has TLS renegotiation been fixed?
I've read RFC 5746 on the TLS secure renegotiation extension. However, I don't understand how it fixes the problem.
Client and server are required to include the verify_data from the previous handshake in the ClientHello and ServerHello messages.…
chris
- 3,000
- 14
- 22
5
votes
0 answers
Should I force Thunderbird to avoid RFC5746 and CVE-2009-3555 security bugs?
I see that the latest version of Thunderbird (38.0.1) still has the defaults set to ignore the error. Is this a big problem? Should I change the defaults to enforce greater security?
Here is background on the problem:…
Chloe
- 1,668
- 3
- 15
- 30
5
votes
3 answers
TLS Renegotiation Indication Extension vulnerability
I am trying to understand the TLS Renegotiation Indication Extension from the RFC. I can understand that it is related to the fact that the renegotiation is sent under the encrypted stream, but I cannot undertand the idea and the exploit.
Could…
Jim
- 341
- 1
- 2
- 5
4
votes
0 answers
Java Updates Restrict Unsafe SSL Renegotiation With Active Directory Servers
We have two active directory (AD) hosts, ead01.domain.com and ead02.domain.com; we also have a corresponding service domain, at eadauth.domain.com which round-robins between these AD hosts (via DNS).
We have a ColdFusion application (CF runs on…
KM.
- 161
- 2
- 5
4
votes
2 answers
Why do browsers probe and fallback (or, why SSL_MODE_SEND_FALLBACK_SCSV)?
I've been following POODLE and the SSL_MODE_SEND_FALLBACK_SCSV TLS extension. I never really paid much attention to it, but it appears SSL_MODE_SEND_FALLBACK_SCSV is needed for clients like browsers which attempt to use a particular SSL/TS protocol…
user29925
3
votes
0 answers
Does RenegotiateOnce in Go's crypto/tls package protect against triple handshake?
Looking into how to do client cert authentication from the Go HTTP client, I found out I needed renegotiation from the client side and I came across issue 5742 for Go on GitHub, which is the issue leading up to renegotiation support being added to…
Andy Haskell
- 131
- 1
2
votes
3 answers
Is it possible to upgrade the SSL version of a connection from the server's side only?
I am trying to find out if there's a way to upgrade the SSL version from SSLv3 to TLSv1 of a connection by only making server-side changes.
In my case, both the client application and server are using OpenSSL(v0.9.8o), so both support SSL versions…
jaybird19
- 23
- 1
- 4
2
votes
0 answers
How to verify SSL/TLS renegotiation vulnerability?
I am trying to verify the SSL renegotiation vulnerability reported for one of our URLs by a vulnerability scanner. The scan report lists the SSL Renegotiation vulnerability as - 'Insecure Transport: SSLv3/TLS Renegotiation Stream Injection'
I…
Sreeraj
- 1,297
- 1
- 13
- 21
2
votes
1 answer
Inducing TLS renegotiation
Is it possible to induce ssl renegotiation for a browser via command line / a curl request. I know it is possible to rate limit ssl renegotiation but do not know how to do it the other way around.
I found some claims by F5 network's BIG-IP product,…
user124499
2
votes
1 answer
Does subject alternative name order matter for TLS certificates?
I ran into an issue today and I'm interested in finding out if the behaviour seen is standard or non standard.
We have several servers that are exposed through a load balancer serving https requests. These servers use TLS certificates with three…
conorgriffin
- 185
- 7
1
vote
1 answer
Triple handshake attack against TLS
Triple handshake attack was discovered lately, and to quote the article "The secure renegotiation indication extension only binds handshakes on the same connection, but does not apply if the session is resumed on a new connection.", that is to say,…
xinyu
- 52
- 6
1
vote
1 answer
TLS: could the resumed session and the original session in the same connection?
In tls 1.2, we know that every connection is associated with one session, and session resumption can be used to establish a new connection quickly by using the session ID of the original session of an old connection, what's more, the resumed session…
xinyu
- 52
- 6