HOW TO DISABLE SSL/TLS RENEGOTIATION?

 
Thread Tools Search this Thread
Operating Systems Linux Red Hat HOW TO DISABLE SSL/TLS RENEGOTIATION?
# 1  
Old 10-30-2011
HOW TO DISABLE SSL/TLS RENEGOTIATION?

Hi guys, Those who work on Apache may help me on this.


I have following problem


Description:
The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate
connections. The computational requirements for renegotiating a connection are
asymmetrical between the client and the server, with the server performing several times
more work. Since the remote host does not appear to limit the number of renegotiations
for a single TLS / SSL connection, this permits a client to open several simultaneous
connections and repeatedly renegotiate them, possibly leading to a denial of service
condition.
(In short tell me how to disable SSL/TLS renegotiation?
Will Disabling it will stop some funtionality?)
Moreover the SSL certificate has already expired. It is in the process to get renewed.

This output of
Code:
httpd -V

Server version: Apache/2.2.3
Server built: Sep 3 2009 17:38:51
Server's Module Magic Number: 20051115:3
Server loaded: APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture: 32-bit
Server MPM: Prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="logs/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

--------------------------------------------------------------------------------------------
Code:
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on


What is use of SSLEngine on?


Will " SSLEngine off" value will disable SSL/TLS renegotiation ?
Code:
Following are the some important part of httpd.conf file.


#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive Off


#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100


#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15


##
## Server-Pool Size Regulation (MPM specific)
## 


# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# ServerLimit: maximum value for MaxClients for the lifetime of the server
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 4000
</IfModule>


# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75 
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>

Which module is used prefork or worker or both?
Should I keep "MaxRequestsPerChild" to also 4000 so that a single client can't send multiple request causing denial of service?


Please guide me I am new to Apache stuff.


Thanks.


---------- Post updated at 09:11 PM ---------- Previous update was at 07:46 PM ----------

Reply Please..........

Last edited by Scott; 10-30-2011 at 12:50 PM.. Reason: Formatting; Code Tags
# 2  
Old 10-30-2011
This is CVE-2009-3555, read about it here:

CVE - CVE-2009-3555 (under review)

Here is a thread on how to take care of this in Apache:

CVE-2009-3555 - apache/mod_ssl vulnerability and mitigation
# 3  
Old 10-30-2011
I had already seen that parameter on internet.

I have made required changes like

in /etc/https/conf.d/ssl.conf

i have put

SSLInsecureRenegotiation off

But do I need to restart any service to take this effect?

like service sshd restart?

or service httpd restart?


Please reply!

Thanks!

Last edited by Scott; 10-30-2011 at 06:26 PM..
# 4  
Old 10-30-2011
Restart apache, once you have made the changes.
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

SSL/TLS with openldap

Hello to all, I'm beguinner in Linux instalations and I'm trying to Communicate from Web Sites that i have running under apache with openLDAP for users authentication using SSL mediation that seems to be connected with LDAPS. Can someone advise me how to do this, I have already installed... (1 Reply)
Discussion started by: CPMarco
1 Replies

2. Shell Programming and Scripting

SSH shell script to access FTP over explicit TLS/SSL

Hello, I use the following SSH script to upload *.jpg files via FTP: #!/usr/bin/expect set timeout -1 spawn ftp -v -i expect "" send "\r" expect "Password:" send "\r" expect "ftp>" send "mput *.jpg\r" expect "ftp>" send "quit\r" replaced with actual ftp server/account data. ... (5 Replies)
Discussion started by: mrpi007
5 Replies

3. Cybersecurity

How to disable TLS 1.0 support in Solaris

Hey Guys, I have a couple servers that are getting flagged by by our network security team. How do I disable TLS 1.0 protocol within Solaris? The vulnerability is : CVE-2011-3389 TLS-SSL Server Blockwise Chosen-Boundary Browser Weakness (2 Replies)
Discussion started by: s ladd
2 Replies

4. UNIX for Advanced & Expert Users

ldap over tls -- ssl cert help

Hey Guys, I am trying to setup ldap over tls in our lab. I am generating a self signed cert on the ldap server and importing that into the ldap system so it will use ldap over port 636. The clients will be a mix of solaris and redhat. I am lost on what I need to do on the client side to get... (0 Replies)
Discussion started by: s ladd
0 Replies

5. Red Hat

SSL/TLS renegotiation DoS -how to disable? Is it advisable to disable?

Hi all Expertise, I have following issue to solve, SSL / TLS Renegotiation DoS (low) 222.225.12.13 Ease of Exploitation Moderate Port 443/tcp Family Miscellaneous Following is the problem description:------------------ Description The remote service encrypts traffic using TLS / SSL and... (2 Replies)
Discussion started by: manalisharmabe
2 Replies

6. Linux

SSL/TLS uses the public key to encrypt data ?

Hi, I have a doubt..whether the SSL/TLS protocol uses the public key of the web server to encrypt data before sending it. I knew the browser verifies the public key of the web server using the digital certificate (by verifying the signature of the certificate using trusted authority). whether... (2 Replies)
Discussion started by: chaitus.28
2 Replies

7. UNIX for Dummies Questions & Answers

TLS/SSL Openldap Centos 5.5

hi guys I configured my openldap but now I want to implement SSL-TLS This is my basic slapd.conf configuration include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include ... (2 Replies)
Discussion started by: karlochacon
2 Replies

8. Cybersecurity

TLS/SSL vulnerability explained

Here's a pretty good, and even PHB-compatible, explanation of the current TLS/SSl protocol vulnerability, including samples. (0 Replies)
Discussion started by: pludi
0 Replies

9. UNIX for Dummies Questions & Answers

Secure ftp using ssl/tls

We have a requirement to setup secure ftp between our AIX v5.3 system and our mainframe. We don't want to use openssh with sftp and scp. Our mainframe uses ftp over ssl/tls so we have to use this on our AIX box. We have openssl on our AIX system but I'm not sure how to setup ssl/tls over ftp on... (4 Replies)
Discussion started by: DANNYC
4 Replies
Login or Register to Ask a Question