As the title sugests, is it possible to disable SSL / TLS Renegotiation when hosting a RoR application or Heroku?
I ran the Nessus security tool on my website and the only serious warning showing up is that the website is possibly open to DoS attacks.
I tried researching the problem, but I'm not sure if it is a heroku problem or the thin server or if the issue is because of the rails application.
Are there any solutions to this issue?
Any advice would be appreciated.
If you're using SSL endpoints for your application on Heroku, the encryption is terminated at Heroku's SSL load balancer, and not on (rack + thin/puma/etc) Rails itself.
For what it's worth, I don't see anything published by Heroku stating that it's possible for individuals to disable TLS session renegotiation on their endpoints, so if you want this additional level of security, you'll need to stand up your own SSL termination reverse proxy (like nginx or something) and put in front of your Heroku endpoint.
