Questions tagged [secure-renegotiation]
20 questions
1
vote
2 answers
Would disabling resumption/renegotiation mitigate the triple handshake issue?
The Triple Handshake Issue was disclosed lately. As far as I understand it, it highly depends on renegotiation and resumption.
So the simple question is: Would disabling resumption and/or renegotiation mitigate this problem?
In more…
Elrond
- 145
- 1
- 5
1
vote
1 answer
How to verify TLS renegotiation DoS vulnerability? (CVE-2021-3449)
I am trying to verify whether I am vulnerable to the OpenSSL TLS renegotiation vulnerability CVE-2021-3449 (fixed in OpenSSL 1.1.1k).
When I connect to the website using openssl s_client -tls1_2 -connect example.com:443, it says "Secure…
Luc
- 31,973
- 8
- 71
- 135
0
votes
1 answer
Questions about "Triple Handshakes Considered Harmful Breaking and Fixing Authentication over TLS"
Recently I'm reading the paper "Triple Handshakes Considered Harmful Breaking and Fixing Authentication over TLS", and I have several questions unclear.
First question: In TLS 1.2 standard, we can see: "Every connection is associated with one…
xinyu
- 52
- 6
0
votes
1 answer
Is key renegotiation necessary with a larger cipher in OpenVPN?
OpenVPN allows the use of their 'reneg-sec' option to renegotiate keys for the data channel at a specified interval. This helped protect against exploits like Sweet32 with 64 bit block ciphers a while ago. Apparently, only 32GB of retrieved data is…
Letal1s
- 99
- 6
0
votes
1 answer
renegotiated master key in openssl s_client
OpenSSL c_client (CLI) prints the Master-Key during initial handshake. This can be clubbed with client random to decrypt packet capture in Wireshark. However, the random and master key changes after renegotiation and packet decryption stops working…
vpillai
- 15
- 5