Repeated renegotiation of TLS / SSL connections

4 posts / 0 new
Topic locked
Last post
#1 Mon, 05/06/2013 - 19:45
bill56

Repeated renegotiation of TLS / SSL connections

Hello:

OS: CentOS Linux 5.9 - Linux 2.6.18-348.3.1.el5 on x86_64

Virtualmin version 3.99.gpl GPL

All Virtualmin packages are up to date.

I received a PCI scan fail due to "The remote service allows repeated renegotiation of TLS / SSL connections."

Description :The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not appear to limit the number of renegotiations for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition.

See also :

http://orchilles.com/2011/03/ssl-renegotiation-dos.html

http://www.ietf.org/mail-archive/web/tls/current/msg07553.html

Solution : Contact the vendor for specific patch information.

===============

Anyone have a fix for this?

Thanks, BIll56

Mon, 05/06/2013 - 22:53
andreychek

Howdy,

Which service caused the failure you're seeing?

Also, just to verify -- are you saying that if you run "yum update", that there's no additional updates to process?

-Eric

Tue, 05/07/2013 - 08:30 (Reply to #2)
bill56

Hi Eric:

yum update: No Packages marked for Update

Application: pop3 Port: 110 Protocol: tcp VATID: 53491 Synopsis : The remote service allows repeated renegotiation of TLS / SSL connections.

Thanks, Bill

Thu, 05/09/2013 - 09:40 (Reply to #3)
bill56

I was seeing the failure on POP3, so I disabled this and re-ran the PCI scan. Now I get the same fail on IMAP:

Application: imap Port: 143 Protocol: tcp VATID: 53491 Synopsis : The remote service allows repeated renegotiation of TLS / SSL connections. Description : The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not appear to limit the number of renegotiations for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition. See also : http://orchilles.com/2011/03/ssl-renegotiation-dos.html http://www.ietf.org/mail-archive/web/tls/current/msg07553.html Solution : Contact the vendor for specific patch information. CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSS Temporal Score : 3.9 (CVSS2#E:POC/RL:U/RC:C) Public Exploit Available : true Plugin output : The remote host is vulnerable to renegotiation DoS over TLSv1 / SSLv3. CVE : CVE-2011-1473 BID : 48626

Any ideas how to fix this?

Thanks, Bill

Topic locked