OpenSSL(TLS/SSL) Security DoS Vulnerability - enables client-initiated renegotiation
It is a DoS threat to enable Secure Client-Initiated Renegotiation when using TLS. See CVE-2011-1473 for reference (disputed because it's not OpenSSL's role to fix this, but role of the apps like SPICE that use OpenSSL API).
testssl.sh may report that a server is vulnerable to CVE-2011-1473 (possible DoS due to client-side renegotiation) even if it only allows a limited number of renegotiation attempts. It concludes that after attempting only one renegotiation.
#bash testssl.sh -R X.X.X.X:9949
ATTENTION: No cipher mapping file found!
Please note from 2.9 on testssl.sh needs files in "$TESTSSL_INSTALL_DIR/etc/" to function correctly.
###########################################################
testssl.sh 3.0 from https://testssl.sh/
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "LibreSSL 2.8.3" [~69 ciphers]
Start 2020-11-30 19:12:54 -->> X.X.X.X:9949 (X.X.X.X) <<--
Testing for Renegotiation vulnerabilities
Secure Renegotiation (RFC 5746) supported (OK)
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), potential DoS threatMore about this Threat See [https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
Apache, IIS, and Lighttpd have all fixed this problem in their latest releases.
HOW TO FIX?
- Disable/Limit the ability for a client to initiate a renegotiation Example: Lighttpd 1.4.30 uses SSL_CTX_set_info_callback to count the number of times SSL_CB_HANDSHAKE_START occurs.
static void ssl_info_callback(const SSL *ssl, int where, int ret) {
UNUSED(ret);
if (0 != (where & SSL_CB_HANDSHAKE_START)) {
connection *con = SSL_get_app_data(ssl);
++con->renegotiations;
} else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) {
ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
}
}
...
SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback);
...- Disable the ability for both side(client/server) to initiate a renegotiation
- OpenSSL 1.0.2 and below,
OpenSSL 1.0.2 and below had the ability to disable renegotiation using the (undocumented) SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. Due to the opacity changes this is no longer possible in 1.1.0. Therefore the new SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to 1.1.0 to provide equivalent functionality. https://www.openssl.org/news/cl110.txt I try to give a Patch
diff --git a/spice/blob/master/server/red-stream.cpp#L203 b/spice/blob/master/server/red-stream.cpp#L203
@@ -201,6 +201,7 @@ static ssize_t stream_ssl_read_cb(RedStream *s, void *buf, size_t size)
{
int return_code;
+ s->priv->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
return_code = SSL_read(s->priv->ssl, buf, size);
if (return_code < 0) {- OpenSSL 1.1.0 and after
SSL_OP_NO_RENEGOTIATION
Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest messages, and ignore renegotiation requests via ClientHello.[https://www.openssl.org/docs/man1.1.0/man3/SSL_clear_options.html(https://www.openssl.org/docs/man1.1.0/man3/SSL_clear_options.html) I try to give a Patch
diff --git /master/server/reds.cpp#L2755
static int reds_init_ssl(RedsState *reds)
{
const SSL_METHOD *ssl_method;
int return_code;
/* Limit connection to TLSv1.1 or newer.
* When some other SSL/TLS version becomes obsolete, add it to this
* variable. */
- long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1;
+ long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1 | SSL_OP_NO_RENEGOTIATION;
and this is a example of lighttpd1.4 fixing this problem
Best wishes