SSL/TLS renegotiation DoS -how to disable? Is it advisable to disable?

Login or Register for Dates, Times and to Reply

 
Thread Tools Search this Thread
Operating Systems Linux Red Hat SSL/TLS renegotiation DoS -how to disable? Is it advisable to disable?
# 1  
Question SSL/TLS renegotiation DoS -how to disable? Is it advisable to disable?

Hi all Expertise,

I have following issue to solve,

SSL / TLS Renegotiation DoS (low) 222.225.12.13

Ease of Exploitation Moderate
Port 443/tcp
Family Miscellaneous
Following is the problem description:------------------
Description The remote service encrypts traffic using TLS / SSL and permits clients to
renegotiate
connections. The computational requirements for renegotiating a connection are
asymmetrical between the client and the server, with the server performing several times
more work. Since the remote host does not appear to limit the number of renegotiations
for a single TLS / SSL connection, this permits a client to open several simultaneous
connections and repeatedly renegotiate them, possibly leading to a denial of service
condition.

Impact Over All Impact - PARTIAL
Confidentiality Impact - NONE
Integrity Impact - NONE
Availability Impact - PARTIAL
Recommendations Contact the vendor for specific patch information. It is possible to temporarily workaround the flaw by implementing the following workaround: Disable TLS/SSL renegotiation.

My queries are-
1.How to diasble SSL/TLS Renegotitation ;what we modify in ssl.conf to disable it?
2. Is it advisable to disable it?
2a.If SSL/TLS Renegotitation is disabled then will it affect some operation?
Please guide me, I have googled on this issue but still not sure about mentioned issue's solution.

Please Guide me.
Thanks in Advance!

ONE MORE THING THE SSL CERTIFICATE HAS ALREADY EXPIRED.

So final question how to block a client opening several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition?

Last edited by manalisharmabe; 10-23-2011 at 05:56 PM..
# 2  
This User Gave Thanks to mark54g For This Post:
# 3  
Hi, mark54g,

Thanks for your contribution , could you please explain me this in detail(kind of). I have never work on Apache.
Thanks!

---------- Post updated at 02:26 PM ---------- Previous update was at 02:22 PM ----------







Hi mark, which one of follows should i enter in ssl.conf?


MaxRequestsPerChild Directive

Description:Limit on the number of requests that an individual child server will handle during its life Syntax:MaxRequestsPerChild number Default:MaxRequestsPerChild 10000 Context:server config Status:MPM Module:leader, mpm_netware, mpm_winnt, mpmt_os2, perchild, prefork, threadpool, worker The MaxRequestsPerChild directive sets the limit on the number of requests that an individual child server process will handle. After MaxRequestsPerChild requests, the child process will die. If MaxRequestsPerChild is 0, then the process will never expire.
--------------------------------------------------------------------------------------------------
Image
MaxClients Directive

Description:Maximum number of connections that will be processed simultaneously Syntax:MaxClients number Default:See usage for details Context:server config Status:MPM Module:beos, leader, prefork, threadpool, worker The MaxClients directive sets the limit on the number of simultaneous requests that will be served. Any connection attempts over the MaxClients limit will normally be queued, up to a number based on the ListenBacklog directive. Once a child process is freed at the end of a different request, the connection will then be serviced.
For non-threaded servers (i.e., prefork), MaxClients translates into the maximum number of child processes that will be launched to serve requests. The default value is 256; to increase it, you must also raise ServerLimit.

---------- Post updated at 02:27 PM ---------- Previous update was at 02:26 PM ----------







Hi mark, which one of follows should i enter in ssl.conf?


MaxRequestsPerChild Directive

Description:Limit on the number of requests that an individual child server will handle during its life Syntax:MaxRequestsPerChild number Default:MaxRequestsPerChild 10000 Context:server config Status:MPM Module:leader, mpm_netware, mpm_winnt, mpmt_os2, perchild, prefork, threadpool, worker The MaxRequestsPerChild directive sets the limit on the number of requests that an individual child server process will handle. After MaxRequestsPerChild requests, the child process will die. If MaxRequestsPerChild is 0, then the process will never expire.
--------------------------------------------------------------------------------------------------
Image
MaxClients Directive

Description:Maximum number of connections that will be processed simultaneously Syntax:MaxClients number Default:See usage for details Context:server config Status:MPM Module:beos, leader, prefork, threadpool, worker The MaxClients directive sets the limit on the number of simultaneous requests that will be served. Any connection attempts over the MaxClients limit will normally be queued, up to a number based on the ListenBacklog directive. Once a child process is freed at the end of a different request, the connection will then be serviced.
For non-threaded servers (i.e., prefork), MaxClients translates into the maximum number of child processes that will be launched to serve requests. The default value is 256; to increase it, you must also raise ServerLimit.
Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

Test Your Knowledge in Computers #924
Difficulty: Medium
The present form of UTC, with leap seconds, is only defined starting from 1 January 1972.
True or False?

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

SSL/TLS with openldap

Hello to all, I'm beguinner in Linux instalations and I'm trying to Communicate from Web Sites that i have running under apache with openLDAP for users authentication using SSL mediation that seems to be connected with LDAPS. Can someone advise me how to do this, I have already installed... (1 Reply)
Discussion started by: CPMarco
1 Replies

2. Shell Programming and Scripting

SSH shell script to access FTP over explicit TLS/SSL

Hello, I use the following SSH script to upload *.jpg files via FTP: #!/usr/bin/expect set timeout -1 spawn ftp -v -i expect "" send "\r" expect "Password:" send "\r" expect "ftp>" send "mput *.jpg\r" expect "ftp>" send "quit\r" replaced with actual ftp server/account data. ... (5 Replies)
Discussion started by: mrpi007
5 Replies

3. Cybersecurity

How to disable TLS 1.0 support in Solaris

Hey Guys, I have a couple servers that are getting flagged by by our network security team. How do I disable TLS 1.0 protocol within Solaris? The vulnerability is : CVE-2011-3389 TLS-SSL Server Blockwise Chosen-Boundary Browser Weakness (2 Replies)
Discussion started by: s ladd
2 Replies

4. UNIX for Advanced & Expert Users

ldap over tls -- ssl cert help

Hey Guys, I am trying to setup ldap over tls in our lab. I am generating a self signed cert on the ldap server and importing that into the ldap system so it will use ldap over port 636. The clients will be a mix of solaris and redhat. I am lost on what I need to do on the client side to get... (0 Replies)
Discussion started by: s ladd
0 Replies

5. Red Hat

HOW TO DISABLE SSL/TLS RENEGOTIATION?

Hi guys, Those who work on Apache may help me on this. I have following problem Description: The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the... (3 Replies)
Discussion started by: manalisharmabe
3 Replies

6. Linux

SSL/TLS uses the public key to encrypt data ?

Hi, I have a doubt..whether the SSL/TLS protocol uses the public key of the web server to encrypt data before sending it. I knew the browser verifies the public key of the web server using the digital certificate (by verifying the signature of the certificate using trusted authority). whether... (2 Replies)
Discussion started by: chaitus.28
2 Replies

7. UNIX for Dummies Questions & Answers

TLS/SSL Openldap Centos 5.5

hi guys I configured my openldap but now I want to implement SSL-TLS This is my basic slapd.conf configuration include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include ... (2 Replies)
Discussion started by: karlochacon
2 Replies

8. Shell Programming and Scripting

How to disable Enable/Disable Tab Key

Hi All, I have bash script, so what is sintax script in bash for Enable and Disable Tab Key. Thanks for your help.:( Thanks, Rico (1 Reply)
Discussion started by: carnegiex
1 Replies

9. Cybersecurity

TLS/SSL vulnerability explained

Here's a pretty good, and even PHB-compatible, explanation of the current TLS/SSl protocol vulnerability, including samples. (0 Replies)
Discussion started by: pludi
0 Replies

10. UNIX for Dummies Questions & Answers

Secure ftp using ssl/tls

We have a requirement to setup secure ftp between our AIX v5.3 system and our mainframe. We don't want to use openssh with sftp and scp. Our mainframe uses ftp over ssl/tls so we have to use this on our AIX box. We have openssl on our AIX system but I'm not sure how to setup ssl/tls over ftp on... (4 Replies)
Discussion started by: DANNYC
4 Replies

Featured Tech Videos