7 Replies Latest reply on Jun 27, 2012 5:29 AM by Ivan Ristic

    Wrong: "Secure Renegotiation     Supported, with client-initiated renegotiation disabled"

    ckahlo Level 1

      Hi there,

       

      just noticed the detection for "client-initiated renegotiation disabled" is incomplete.

      I assume you're sending a hello request?

      Better would be to send a Client Hello and watch out for a corresponding Server Hello.

      Thats the way the "thc-ssl-dos"-tool from http://www.thc.org brings down servers.

      People who believe their server is "secure" because of this rating might be vulnerable

      against an attack using the mentioned tool.

       

      BTW: *.google.com behaves wrong on TLS1.2 using ECDHE_RSA_* ciphers. The

      hashes inside the signatures they calculate are anything but not the expected ones.

      Short comment from my side can be found here:

      https://plus.google.com/104046855272569005562/posts/LDVAFZt2Fhi

       

      Best regards,

      Christian