AnsweredAssumed Answered

Is this a false positive on insecure renegotiation?

Question asked by Whit Blauvelt on Jun 27, 2015
Latest reply on Jun 30, 2015 by Whit Blauvelt

In testing a server running Ericom's Secure Gateway (http://www.ericom.com/securegateway.asp which we're using with their PowerTerm WebConnect) we see:

 

"This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F."

 

I found the instructions for manually testing that here: http://blog.ivanristic.com/2009/12/testing-for-ssl-renegotiation.html. So I went and downloaded openssl-0.9.8k source, and after finding it won't compile on Ubuntu 12.04, got it to compile on an old 10.04 system. Then I ran the recommended manual test, which went like this:

 

# ./openssl s_client -connect NN.NN.NN.NN:443

CONNECTED(00000003)

...

---

HEAD / HTTP/1.0  <<-- entered by me

read:errno=0          <<-- immediate response

 

So no chance to enter an R to request renegotiation. This was quite consistent. Against other, normal sites, including ssllabs.com, there's the opportunity to enter the R and get to one result or another. So if this is still a good manual test, then the SSL Labs test is throwing a false positive. If it's not a good manual test, it would be useful to know what is.

 

Thanks,

Whit

Outcomes