AnsweredAssumed Answered

Wrong: "Secure Renegotiation     Supported, with client-initiated renegotiation disabled"

Question asked by ckahlo on Jun 26, 2012
Latest reply on Jun 27, 2012 by Ivan Ristić

Hi there,

 

just noticed the detection for "client-initiated renegotiation disabled" is incomplete.

I assume you're sending a hello request?

Better would be to send a Client Hello and watch out for a corresponding Server Hello.

Thats the way the "thc-ssl-dos"-tool from http://www.thc.org brings down servers.

People who believe their server is "secure" because of this rating might be vulnerable

against an attack using the mentioned tool.

 

BTW: *.google.com behaves wrong on TLS1.2 using ECDHE_RSA_* ciphers. The

hashes inside the signatures they calculate are anything but not the expected ones.

Short comment from my side can be found here:

https://plus.google.com/104046855272569005562/posts/LDVAFZt2Fhi

 

Best regards,

Christian

Outcomes