Home Man
Search
Today's Posts
Register

Red Hat is the world's leading open source technology solutions provider with offerings including Red Hat Enterprise Linux (RHEL), Fedora, open source applications, security and systems management, virtualization, and Services Oriented Architecture (SOA) solutions.

SSL/TLS renegotiation DoS -how to disable? Is it advisable to disable?

👤 Login to reply

 
Thread Tools Search this Thread
# 1  
Old 10-23-2011
Question SSL/TLS renegotiation DoS -how to disable? Is it advisable to disable?

Hi all Expertise,

I have following issue to solve,

SSL / TLS Renegotiation DoS (low) 222.225.12.13

Ease of Exploitation Moderate
Port 443/tcp
Family Miscellaneous
Following is the problem description:------------------
Description The remote service encrypts traffic using TLS / SSL and permits clients to
renegotiate
connections. The computational requirements for renegotiating a connection are
asymmetrical between the client and the server, with the server performing several times
more work. Since the remote host does not appear to limit the number of renegotiations
for a single TLS / SSL connection, this permits a client to open several simultaneous
connections and repeatedly renegotiate them, possibly leading to a denial of service
condition.

Impact Over All Impact - PARTIAL
Confidentiality Impact - NONE
Integrity Impact - NONE
Availability Impact - PARTIAL
Recommendations Contact the vendor for specific patch information. It is possible to temporarily workaround the flaw by implementing the following workaround: Disable TLS/SSL renegotiation.

My queries are-
1.How to diasble SSL/TLS Renegotitation ;what we modify in ssl.conf to disable it?
2. Is it advisable to disable it?
2a.If SSL/TLS Renegotitation is disabled then will it affect some operation?
Please guide me, I have googled on this issue but still not sure about mentioned issue's solution.

Please Guide me.
Thanks in Advance!

ONE MORE THING THE SSL CERTIFICATE HAS ALREADY EXPIRED.

So final question how to block a client opening several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition?

Last edited by manalisharmabe; 10-23-2011 at 03:56 PM..
# 2  
Old 10-23-2011
The Following User Says Thank You to mark54g For This Useful Post:
manalisharmabe (10-24-2011)
# 3  
Old 10-24-2011
Hi, mark54g,

Thanks for your contribution , could you please explain me this in detail(kind of). I have never work on Apache.
Thanks!

---------- Post updated at 02:26 PM ---------- Previous update was at 02:22 PM ----------







Hi mark, which one of follows should i enter in ssl.conf?


MaxRequestsPerChild Directive

Description:Limit on the number of requests that an individual child server will handle during its life Syntax:MaxRequestsPerChild number Default:MaxRequestsPerChild 10000 Context:server config Status:MPM Module:leader, mpm_netware, mpm_winnt, mpmt_os2, perchild, prefork, threadpool, worker The MaxRequestsPerChild directive sets the limit on the number of requests that an individual child server process will handle. After MaxRequestsPerChild requests, the child process will die. If MaxRequestsPerChild is 0, then the process will never expire.
--------------------------------------------------------------------------------------------------

MaxClients Directive

Description:Maximum number of connections that will be processed simultaneously Syntax:MaxClients number Default:See usage for details Context:server config Status:MPM Module:beos, leader, prefork, threadpool, worker The MaxClients directive sets the limit on the number of simultaneous requests that will be served. Any connection attempts over the MaxClients limit will normally be queued, up to a number based on the ListenBacklog directive. Once a child process is freed at the end of a different request, the connection will then be serviced.
For non-threaded servers (i.e., prefork), MaxClients translates into the maximum number of child processes that will be launched to serve requests. The default value is 256; to increase it, you must also raise ServerLimit.

---------- Post updated at 02:27 PM ---------- Previous update was at 02:26 PM ----------







Hi mark, which one of follows should i enter in ssl.conf?


MaxRequestsPerChild Directive

Description:Limit on the number of requests that an individual child server will handle during its life Syntax:MaxRequestsPerChild number Default:MaxRequestsPerChild 10000 Context:server config Status:MPM Module:leader, mpm_netware, mpm_winnt, mpmt_os2, perchild, prefork, threadpool, worker The MaxRequestsPerChild directive sets the limit on the number of requests that an individual child server process will handle. After MaxRequestsPerChild requests, the child process will die. If MaxRequestsPerChild is 0, then the process will never expire.
--------------------------------------------------------------------------------------------------

MaxClients Directive

Description:Maximum number of connections that will be processed simultaneously Syntax:MaxClients number Default:See usage for details Context:server config Status:MPM Module:beos, leader, prefork, threadpool, worker The MaxClients directive sets the limit on the number of simultaneous requests that will be served. Any connection attempts over the MaxClients limit will normally be queued, up to a number based on the ListenBacklog directive. Once a child process is freed at the end of a different request, the connection will then be serviced.
For non-threaded servers (i.e., prefork), MaxClients translates into the maximum number of child processes that will be launched to serve requests. The default value is 256; to increase it, you must also raise ServerLimit.
👤 Login to reply

« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Disable RBAC - AIX Zio Bill AIX 3 04-23-2012 09:05 AM
HOW TO DISABLE SSL/TLS RENEGOTIATION? manalisharmabe Red Hat 3 10-30-2011 05:14 PM
Disable ftp pxy2d1 Solaris 5 02-07-2010 01:05 AM
How to disable Enable/Disable Tab Key carnegiex Shell Programming and Scripting 1 12-13-2009 11:00 AM
Disable SSH key authentication youdexter Shell Programming and Scripting 3 01-09-2009 01:11 AM
How to disable SU right civic2005 Solaris 4 12-16-2008 10:19 AM
Disable GUI HP-UX mdjuarsa HP-UX 1 10-06-2007 07:51 AM
disable rsh sriram.s AIX 3 05-11-2007 12:18 PM
disable su sak900354 UNIX for Dummies Questions & Answers 2 06-15-2006 03:56 AM
Disable X bbutler3295 UNIX for Dummies Questions & Answers 8 03-19-2002 06:19 PM


All times are GMT -4. The time now is 01:24 AM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
UNIX.COM Login
Username:
Password:  
Show Password