SSL/TLS renegotiation DoS -how to disable? Is it advisable to disable? | Unix Linux Forums | Red Hat

  Go Back    


Red Hat Red Hat is the world's leading open source technology solutions provider with offerings including Red Hat Enterprise Linux (RHEL), Fedora, open source applications, security and systems management, virtualization, and Services Oriented Architecture (SOA) solutions.

SSL/TLS renegotiation DoS -how to disable? Is it advisable to disable?

Red Hat


Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 10-23-2011
manalisharmabe manalisharmabe is offline
Registered User
 
Join Date: Jul 2011
Last Activity: 13 June 2014, 4:26 AM EDT
Posts: 159
Thanks: 103
Thanked 2 Times in 2 Posts
Question SSL/TLS renegotiation DoS -how to disable? Is it advisable to disable?

Hi all Expertise,

I have following issue to solve,

SSL / TLS Renegotiation DoS (low) 222.225.12.13

Ease of Exploitation Moderate
Port 443/tcp
Family Miscellaneous
Following is the problem description:------------------
Description The remote service encrypts traffic using TLS / SSL and permits clients to
renegotiate
connections. The computational requirements for renegotiating a connection are
asymmetrical between the client and the server, with the server performing several times
more work. Since the remote host does not appear to limit the number of renegotiations
for a single TLS / SSL connection, this permits a client to open several simultaneous
connections and repeatedly renegotiate them, possibly leading to a denial of service
condition.

Impact Over All Impact - PARTIAL
Confidentiality Impact - NONE
Integrity Impact - NONE
Availability Impact - PARTIAL
Recommendations Contact the vendor for specific patch information. It is possible to temporarily workaround the flaw by implementing the following workaround: Disable TLS/SSL renegotiation.

My queries are-
1.How to diasble SSL/TLS Renegotitation ;what we modify in ssl.conf to disable it?
2. Is it advisable to disable it?
2a.If SSL/TLS Renegotitation is disabled then will it affect some operation?
Please guide me, I have googled on this issue but still not sure about mentioned issue's solution.

Please Guide me.
Thanks in Advance!

ONE MORE THING THE SSL CERTIFICATE HAS ALREADY EXPIRED.

So final question how to block a client opening several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition?

Last edited by manalisharmabe; 10-23-2011 at 03:56 PM..
Sponsored Links
    #2  
Old 10-23-2011
mark54g mark54g is offline Forum Advisor  
Registered User
 
Join Date: May 2008
Last Activity: 26 July 2013, 11:43 AM EDT
Location: Northeastern United States
Posts: 918
Thanks: 1
Thanked 61 Times in 58 Posts
What about max connections per client?

Apache Max Client - HTML Forums - Free Webmaster Forums and Help Forums
The Following User Says Thank You to mark54g For This Useful Post:
manalisharmabe (10-24-2011)
Sponsored Links
    #3  
Old 10-24-2011
manalisharmabe manalisharmabe is offline
Registered User
 
Join Date: Jul 2011
Last Activity: 13 June 2014, 4:26 AM EDT
Posts: 159
Thanks: 103
Thanked 2 Times in 2 Posts
Hi, mark54g,

Thanks for your contribution , could you please explain me this in detail(kind of). I have never work on Apache.
Thanks!

---------- Post updated at 02:26 PM ---------- Previous update was at 02:22 PM ----------







Hi mark, which one of follows should i enter in ssl.conf?


MaxRequestsPerChild Directive

Description:Limit on the number of requests that an individual child server will handle during its life Syntax:MaxRequestsPerChild number Default:MaxRequestsPerChild 10000 Context:server config Status:MPM Module:leader, mpm_netware, mpm_winnt, mpmt_os2, perchild, prefork, threadpool, worker The MaxRequestsPerChild directive sets the limit on the number of requests that an individual child server process will handle. After MaxRequestsPerChild requests, the child process will die. If MaxRequestsPerChild is 0, then the process will never expire.
--------------------------------------------------------------------------------------------------

MaxClients Directive

Description:Maximum number of connections that will be processed simultaneously Syntax:MaxClients number Default:See usage for details Context:server config Status:MPM Module:beos, leader, prefork, threadpool, worker The MaxClients directive sets the limit on the number of simultaneous requests that will be served. Any connection attempts over the MaxClients limit will normally be queued, up to a number based on the ListenBacklog directive. Once a child process is freed at the end of a different request, the connection will then be serviced.
For non-threaded servers (i.e., prefork), MaxClients translates into the maximum number of child processes that will be launched to serve requests. The default value is 256; to increase it, you must also raise ServerLimit.

---------- Post updated at 02:27 PM ---------- Previous update was at 02:26 PM ----------







Hi mark, which one of follows should i enter in ssl.conf?


MaxRequestsPerChild Directive

Description:Limit on the number of requests that an individual child server will handle during its life Syntax:MaxRequestsPerChild number Default:MaxRequestsPerChild 10000 Context:server config Status:MPM Module:leader, mpm_netware, mpm_winnt, mpmt_os2, perchild, prefork, threadpool, worker The MaxRequestsPerChild directive sets the limit on the number of requests that an individual child server process will handle. After MaxRequestsPerChild requests, the child process will die. If MaxRequestsPerChild is 0, then the process will never expire.
--------------------------------------------------------------------------------------------------

MaxClients Directive

Description:Maximum number of connections that will be processed simultaneously Syntax:MaxClients number Default:See usage for details Context:server config Status:MPM Module:beos, leader, prefork, threadpool, worker The MaxClients directive sets the limit on the number of simultaneous requests that will be served. Any connection attempts over the MaxClients limit will normally be queued, up to a number based on the ListenBacklog directive. Once a child process is freed at the end of a different request, the connection will then be serviced.
For non-threaded servers (i.e., prefork), MaxClients translates into the maximum number of child processes that will be launched to serve requests. The default value is 256; to increase it, you must also raise ServerLimit.
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Disable ftp pxy2d1 Solaris 5 02-07-2010 01:05 AM
How to disable Enable/Disable Tab Key carnegiex Shell Programming and Scripting 1 12-13-2009 11:00 AM
How to disable SU right civic2005 Solaris 4 12-16-2008 10:19 AM
disable rsh sriram.s AIX 3 05-11-2007 12:18 PM
disable su sak900354 UNIX for Dummies Questions & Answers 2 06-15-2006 03:56 AM



All times are GMT -4. The time now is 06:07 PM.