SSL/TLS renegotiation DoS -how to disable? Is it advisable to disable?

Login to Reply

 
Thread Tools Search this Thread
# 1  
Old 10-23-2011
Question SSL/TLS renegotiation DoS -how to disable? Is it advisable to disable?

Hi all Expertise,

I have following issue to solve,

SSL / TLS Renegotiation DoS (low) 222.225.12.13

Ease of Exploitation Moderate
Port 443/tcp
Family Miscellaneous
Following is the problem description:------------------
Description The remote service encrypts traffic using TLS / SSL and permits clients to
renegotiate
connections. The computational requirements for renegotiating a connection are
asymmetrical between the client and the server, with the server performing several times
more work. Since the remote host does not appear to limit the number of renegotiations
for a single TLS / SSL connection, this permits a client to open several simultaneous
connections and repeatedly renegotiate them, possibly leading to a denial of service
condition.

Impact Over All Impact - PARTIAL
Confidentiality Impact - NONE
Integrity Impact - NONE
Availability Impact - PARTIAL
Recommendations Contact the vendor for specific patch information. It is possible to temporarily workaround the flaw by implementing the following workaround: Disable TLS/SSL renegotiation.

My queries are-
1.How to diasble SSL/TLS Renegotitation ;what we modify in ssl.conf to disable it?
2. Is it advisable to disable it?
2a.If SSL/TLS Renegotitation is disabled then will it affect some operation?
Please guide me, I have googled on this issue but still not sure about mentioned issue's solution.

Please Guide me.
Thanks in Advance!

ONE MORE THING THE SSL CERTIFICATE HAS ALREADY EXPIRED.

So final question how to block a client opening several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition?

Last edited by manalisharmabe; 10-23-2011 at 04:56 PM..
# 2  
Old 10-23-2011
This User Gave Thanks to mark54g For This Post:
manalisharmabe (10-24-2011)
# 3  
Old 10-24-2011
Hi, mark54g,

Thanks for your contribution , could you please explain me this in detail(kind of). I have never work on Apache.
Thanks!

---------- Post updated at 02:26 PM ---------- Previous update was at 02:22 PM ----------







Hi mark, which one of follows should i enter in ssl.conf?


MaxRequestsPerChild Directive

Description:Limit on the number of requests that an individual child server will handle during its life Syntax:MaxRequestsPerChild number Default:MaxRequestsPerChild 10000 Context:server config Status:MPM Module:leader, mpm_netware, mpm_winnt, mpmt_os2, perchild, prefork, threadpool, worker The MaxRequestsPerChild directive sets the limit on the number of requests that an individual child server process will handle. After MaxRequestsPerChild requests, the child process will die. If MaxRequestsPerChild is 0, then the process will never expire.
--------------------------------------------------------------------------------------------------
Image
MaxClients Directive

Description:Maximum number of connections that will be processed simultaneously Syntax:MaxClients number Default:See usage for details Context:server config Status:MPM Module:beos, leader, prefork, threadpool, worker The MaxClients directive sets the limit on the number of simultaneous requests that will be served. Any connection attempts over the MaxClients limit will normally be queued, up to a number based on the ListenBacklog directive. Once a child process is freed at the end of a different request, the connection will then be serviced.
For non-threaded servers (i.e., prefork), MaxClients translates into the maximum number of child processes that will be launched to serve requests. The default value is 256; to increase it, you must also raise ServerLimit.

---------- Post updated at 02:27 PM ---------- Previous update was at 02:26 PM ----------







Hi mark, which one of follows should i enter in ssl.conf?


MaxRequestsPerChild Directive

Description:Limit on the number of requests that an individual child server will handle during its life Syntax:MaxRequestsPerChild number Default:MaxRequestsPerChild 10000 Context:server config Status:MPM Module:leader, mpm_netware, mpm_winnt, mpmt_os2, perchild, prefork, threadpool, worker The MaxRequestsPerChild directive sets the limit on the number of requests that an individual child server process will handle. After MaxRequestsPerChild requests, the child process will die. If MaxRequestsPerChild is 0, then the process will never expire.
--------------------------------------------------------------------------------------------------
Image
MaxClients Directive

Description:Maximum number of connections that will be processed simultaneously Syntax:MaxClients number Default:See usage for details Context:server config Status:MPM Module:beos, leader, prefork, threadpool, worker The MaxClients directive sets the limit on the number of simultaneous requests that will be served. Any connection attempts over the MaxClients limit will normally be queued, up to a number based on the ListenBacklog directive. Once a child process is freed at the end of a different request, the connection will then be serviced.
For non-threaded servers (i.e., prefork), MaxClients translates into the maximum number of child processes that will be launched to serve requests. The default value is 256; to increase it, you must also raise ServerLimit.
Login to Reply

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

Similar Threads More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
AIX LDAP client authenticate against Linux Openldap server over TLS/SSL paco699 AIX 6 10-29-2015 08:07 PM
SSL/TLS with openldap CPMarco UNIX for Advanced & Expert Users 1 10-23-2013 06:22 PM
SSH shell script to access FTP over explicit TLS/SSL mrpi007 Shell Programming and Scripting 5 06-11-2013 01:28 PM
How to disable TLS 1.0 support in Solaris s ladd Security 2 08-08-2012 05:27 PM
ldap over tls -- ssl cert help s ladd UNIX for Advanced & Expert Users 0 02-08-2012 05:18 PM
HOW TO DISABLE SSL/TLS RENEGOTIATION? manalisharmabe Red Hat 3 10-30-2011 06:14 PM
SSL/TLS uses the public key to encrypt data ? chaitus.28 Linux 2 02-10-2011 05:17 AM
TLS/SSL Openldap Centos 5.5 karlochacon UNIX for Dummies Questions & Answers 2 02-02-2011 09:29 AM
How to disable Enable/Disable Tab Key carnegiex Shell Programming and Scripting 1 12-13-2009 12:00 PM
TLS/SSL vulnerability explained pludi Security 0 11-18-2009 11:56 AM
Secure ftp using ssl/tls DANNYC UNIX for Dummies Questions & Answers 4 02-27-2008 11:45 AM
Disable X bbutler3295 UNIX for Dummies Questions & Answers 8 03-19-2002 07:19 PM
All times are GMT -4. The time now is 02:00 PM.

Unix & Linux Forums Content Copyright 1993-2018. All Rights Reserved.
UNIX.COM Login
Username:
Password:  
Show Password





Not a Forum Member?
Forgot Password?