+- Atozed Forums (https://www.atozed.com/forums)
+-- Forum: Atozed Software Products (https://www.atozed.com/forums/forum-1.html)
+--- Forum: IntraWeb (https://www.atozed.com/forums/forum-3.html)
+---- Forum: English (https://www.atozed.com/forums/forum-16.html)
+----- Forum: IntraWeb General Discussion (https://www.atozed.com/forums/forum-4.html)
+----- Thread: SSL/TLS: Renegotiation Vulnerability (/thread-3332.html)
SSL/TLS: Renegotiation Vulnerability - pgnair - 06-23-2023
Hi Team
Please advise how to resolve the below vulnerabilities
Thanks
Pramod
SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094)
SSL/TLS: Renegotiation MITM Vulnerability (CVE-2009-3555)
The remote SSL/TLS service is prone to a denial of service (DoS) vulnerability.The flaw exists because the remote SSL/TLS service does not properly restrict client-initiated renegotiation within the SSL and TLS protocols. Note: The referenced CVEs are affecting OpenSSL and Mozilla Network Security Services (NSS) but both are in a DISPUTED state with the following rationale: > It can also be argued that it is the responsibility of server deployments not a security library to prevent or limit renegotiation when it is inappropriate within a specific environment. Both CVEs are still kept in this VT as a reference to the origin of this flaw.The flaw might make it easier for remote attackers to cause a DoS (CPU consumption) by performing many renegotiations within a single connection.
RE: SSL/TLS: Renegotiation Vulnerability - pgnair - 06-26-2023
(06-23-2023, 06:09 AM)pgnair Wrote: Hi Alex
Did you get a chance to look on it please?
Thanks
Pramod
RE: SSL/TLS: Renegotiation Vulnerability - Alexandre Machado - 07-04-2023
Hi,
I guess you've been using Indy server here is that correct?
From the issue:
> The referenced CVEs are affecting OpenSSL and Mozilla Network Security Services (NSS) but both are in a DISPUTED state
If you are using Indy (which uses OpenSSL) this will certainly affect your application. I think, once it is in disputed state, I believe you should just inform that you are using OpenSSL to provide SSL services.
RE: SSL/TLS: Renegotiation Vulnerability - pgnair - 07-04-2023
(07-04-2023, 05:00 AM)Alexandre Machado Wrote: Hi,>I guess you've been using Indy server here is that correct?
I guess you've been using Indy server here is that correct?
From the issue:
> The referenced CVEs are affecting OpenSSL and Mozilla Network Security Services (NSS) but both are in a DISPUTED state
If you are using Indy (which uses OpenSSL) this will certainly affect your application. I think, once it is in disputed state, I believe you should just inform that you are using OpenSSL to provide SSL services.
Yes am using Indy Server.
>If you are using Indy (which uses OpenSSL)
OpenSSL dlls are using
>I believe you should just inform that you are using OpenSSL
They might not accept such a comment. Is there any solution for this?
RE: SSL/TLS: Renegotiation Vulnerability - Alexandre Machado - 07-04-2023
This affects all OpenSSL versions as far as I know. I'll do some research but if this is not fixed in OpenSSL, it is a problem without solution, unless you move to Http.sys.
However, I'd like to point out that a gigantic part of Internet's HTTPS is powered by OpenSSL. I'm not convinced that these auditors consider half the world's HTTPS sites "unsafe"
RE: SSL/TLS: Renegotiation Vulnerability - pgnair - 09-26-2023
(07-04-2023, 05:46 AM)Alexandre Machado Wrote: This affects all OpenSSL versions as far as I know. I'll do some research but if this is not fixed in OpenSSL, it is a problem without solution, unless you move to Http.sys.
However, I'd like to point out that a gigantic part of Internet's HTTPS is powered by OpenSSL. I'm not convinced that these auditors consider half the world's HTTPS sites "unsafe"
Sorry to disturb you. Client forcing me to fix this medium vulnerability. Is there any fix from Openssl or any other way to fix it?
RE: SSL/TLS: Renegotiation Vulnerability - mhammady - 09-26-2023
(09-26-2023, 03:37 AM)pgnair Wrote: Sorry to disturb you. Client forcing me to fix this medium vulnerability. Is there any fix from Openssl or any other way to fix it?
I faced this problem before, and I switched the project to ISAPI to run under IIS instead of stand-alone. Another solution is to run your app behind a firewall/load balancer that is able to detect this threat
RE: SSL/TLS: Renegotiation Vulnerability - Alexandre Machado - 09-27-2023
You actually don't need to change it into an ISAPI app. You can still use the SA version with Http.sys base, instead of Indy. It will use the same infrastructure as IIS.
However, to @pgnair, we have just released IntraWeb 15.4.0 with OpenSSL 1.1.1 support which has several enhancements over the existing 1.0 branch. Maybe you should give it a try and see if the "warning" remains.
RE: SSL/TLS: Renegotiation Vulnerability - pgnair - 09-29-2023
(09-27-2023, 06:55 AM)Alexandre Machado Wrote: You actually don't need to change it into an ISAPI app. You can still use the SA version with Http.sys base, instead of Indy. It will use the same infrastructure as IIS.
However, to @pgnair, we have just released IntraWeb 15.4.0 with OpenSSL 1.1.1 support which has several enhancements over the existing 1.0 branch. Maybe you should give it a try and see if the "warning" remains.
Thanks Alex, will try