AnsweredAssumed Answered

Secure Client-Initiated Renegotiation - DoS DANGER

Question asked by sandeep kumar on May 24, 2015
Latest reply on May 24, 2015 by Lily Wilson

Hi Team,

 

I have tried to validate my site using SSL labs and seen it graded us "A". Though we got "A", we have seen "Secure Client-Initiated Renegotiation - Supported DoS DANGER" message under the protocols section.

 

SecureRenegotiation.png

 

I have been searching for the mitigation and have tried with couple to this solutions. But, none of them resolved this issue. There is no "SSLInsecureRenegotiation" directive in our apache configuration and even we have tried to adding manually "SSLInsecureRenegotiation off", to see whether it fixes the issue. But no-luck.

 

As per the thread Secure Client-Initiated Renegotiation Vs Insecure Client-Initiated Renegotiation, I have tried for client negotiation (from a machine which has openssl-1.0.1e-16.el6_5.15 running) using command "openssl s_client -connect <host>:443"

.....................................................

GET / HTTP/1.0

R

RENEGOTIATING

...................................

After some time, we are getting time out request. Does this mean, we are safe? If not, could you please let me know the solution for mitigation.


Our server is under Amazon ELB, does this causing the issue? I have been asking this, because with the same apache configuration where ELB is not present we are not getting "Secure Client-Initiated Renegotiation - Supported DoS DANGER" issue.


So, request you to please help me out on this.


Thanks,

Sandeep

Outcomes