LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-23-2011, 02:08 PM   #1
manalisharmabe
Member
 
Registered: Dec 2010
Posts: 240

Rep: Reputation: 1
Question SSL/TLS renegotiation DoS -how to disable? Is it advisable to disable?


Hi all Expertise,

I have following issue to solve,

SSL / TLS Renegotiation DoS (low) 222.225.12.13

Ease of Exploitation Moderate
Port 443/tcp
Family Miscellaneous
Following is the problem description:------------------
Description The remote service encrypts traffic using TLS / SSL and permits clients to
renegotiate
connections. The computational requirements for renegotiating a connection are
asymmetrical between the client and the server, with the server performing several times
more work. Since the remote host does not appear to limit the number of renegotiations
for a single TLS / SSL connection, this permits a client to open several simultaneous
connections and repeatedly renegotiate them, possibly leading to a denial of service
condition.

Impact Over All Impact - PARTIAL
Confidentiality Impact - NONE
Integrity Impact - NONE
Availability Impact - PARTIAL
Recommendations Contact the vendor for specific patch information. It is possible to temporarily workaround the flaw by implementing the following workaround: Disable TLS/SSL renegotiation.

My queries are-
1.How to diasble SSL/TLS Renegotitation ;what we modify in ssl.conf to disable it?
2. Is it advisable to disable it?
2a.If SSL/TLS Renegotitation is disabled then will it affect some operation?
Please guide me, I have googled on this issue but still not sure about mentioned issue's solution.

Please Guide me.
Thanks in Advance!

ONE MORE THING THE SSL CERTIFICATE HAS ALREADY EXPIRED.

So final question how to block a client opening several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition?

Last edited by manalisharmabe; 10-23-2011 at 02:55 PM.
 
Old 10-30-2011, 09:15 AM   #2
manalisharmabe
Member
 
Registered: Dec 2010
Posts: 240

Original Poster
Rep: Reputation: 1
Unhappy Ho w to disable ssl/tls renegotiation?

Hi guys, Those who work on Apache may help me on this.

I have following problem

Description:
The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate
connections. The computational requirements for renegotiating a connection are
asymmetrical between the client and the server, with the server performing several times
more work. Since the remote host does not appear to limit the number of renegotiations
for a single TLS / SSL connection, this permits a client to open several simultaneous
connections and repeatedly renegotiate them, possibly leading to a denial of service
condition.
(In short tell me how to disable SSL/TLS renegotiation?
Will Disabling it will stop some funtionality?)
Moreover the SSL certificate has already expired. It is in the process to get renewed.

This output of

httpd -V

Server version: Apache/2.2.3
Server built: Sep 3 2009 17:38:51
Server's Module Magic Number: 20051115:3
Server loaded: APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture: 32-bit
Server MPM: Prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="logs/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"


--------------------------------------------------------------------------------------------

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

What is use of SSLEngine on?

Will " SSLEngine off" value will disable SSL/TLS renegotiation ?
-----------------------------------------------------------------------------------------
Following are the some important part of httpd.conf file.

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive Off

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15

##
## Server-Pool Size Regulation (MPM specific)
##

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# ServerLimit: maximum value for MaxClients for the lifetime of the server
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 4000
</IfModule>

# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>

Which module is used prefork or worker or both?
Should I keep "MaxRequestsPerChild" to also 4000 so that a single client can't send multiple request causing denial of service?

Please guide me I am new to Apache stuff.

Thanks.
 
Old 10-30-2011, 09:31 AM   #3
leslie_jones
Member
 
Registered: Sep 2011
Posts: 130

Rep: Reputation: Disabled
In a nutshell, I just Googled 'apache disable ssl renegotiation' and would you believe it, this was the first of many answers ;-)

http://blog.techstacks.com/2010/07/d...in-apache.html
 
2 members found this post helpful.
Old 10-30-2011, 10:41 AM   #4
manalisharmabe
Member
 
Registered: Dec 2010
Posts: 240

Original Poster
Rep: Reputation: 1
Thanks leslie Jones!

I had already seen that parameter on internet.

I have made required changes like

in /etc/https/conf.d/ssl.conf

i have put

SSLInsecureRenegotiation off

But do I need to restart any service to take this effect?

like service sshd restart?

or service httpd restart?


Please reply!

Thanks!
 
Old 10-30-2011, 10:50 AM   #5
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,456

Rep: Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538
Quote:
Originally Posted by manalisharmabe View Post
Thanks leslie Jones!

I had already seen that parameter on internet. I have made required changes like in /etc/https/conf.d/ssl.conf i have put

SSLInsecureRenegotiation off

But do I need to restart any service to take this effect? like service sshd restart? or service httpd restart?
If you actually did Google it, you would have also seen the other info on making it work. You will have to restart ANY service after you make changes, so yes, restart your services.
 
1 members found this post helpful.
Old 10-31-2011, 06:02 AM   #6
manalisharmabe
Member
 
Registered: Dec 2010
Posts: 240

Original Poster
Rep: Reputation: 1
What is SSL renegotiation module?

Which module is necessary?
 
Old 10-31-2011, 07:47 AM   #7
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Let's ask a question from a different perspective: are you CURRENTLY having a problem with DOS from this condition? If not, why are you focusing on preventing a problem that does not exist?
 
Old 10-31-2011, 09:57 AM   #8
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,456

Rep: Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538
Quote:
Originally Posted by manalisharmabe View Post
What is SSL renegotiation module?

Which module is necessary?
..and if you bothered just typing your question into Google, the VERY FIRST HIT tells you the answer:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
 
Old 11-02-2011, 11:10 AM   #9
manalisharmabe
Member
 
Registered: Dec 2010
Posts: 240

Original Poster
Rep: Reputation: 1
Question How to fix openssl 0.9.8e vulnerability?

Hi guys,

I want to diable SSL/TLS Renegotiation on one machine. SSL certificate is expired
Following is the all possible information I can give regarding this machine.

openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

rpm -qa | grep httpd
system-config-httpd-1.3.3.3-1.
el5
httpd-manual-2.2.3-53.el5.centos.3
httpd-2.2.3-53.el5.centos.3

rpm -qa | grep mod_ssl
mod_ssl-2.2.3-53.el5.centos.3

cat /etc/redhat-release

CentOS release 5.5 (Final)

yum list openssl

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.net.cen.ct.gov
* extras: mirrors.lga7.us.voxel.net
* updates: centos.corenetworks.net
Installed Packages
openssl.i386 0.9.8e-12.el5_4.6 installed
Available Packages
openssl.i386 0.9.8e-20.el5 base
openssl.i686 0.9.8e-20.el5 base

yum list httpd

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.net.cen.ct.gov
* extras: mirrors.lga7.us.voxel.net
* updates: centos.corenetworks.net
Installed Packages
httpd.i386 2.2.3-53.el5.centos.3 installed

openssl s_client -connect www.newrule.com:443 (this is how we check whether the renegotiation is supported or not)

CONNECTED(00000003)
---
Certificate chain Inc/OU=IMS/CN=
i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEczCCA9ygAwIBAgIQdeUhzEgXh+IKVIyXrLzvSTANBgkqhkiG9w0BAQUFADCB
ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy
aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg
SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0x
MDAzMjYwMDAwMDBaFw0xMTAzMjYyMzU5NTlaMIGDMQswCQYDVQQGEwJVUzEWMBQG
A1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxQJQ2FtYnJpZGdlMRswGQYDVQQK
FBJQYXRuaSBBbWVyaWNhcyBJbmMxDDAKBgNVBAsUA0lNUzEdMBsGA1UEAxQUd3d3
LnJlbW90ZWl0bWdtdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALnQ
nvg4RJjmpVmf+tnRwDaxFtS2qw0yG6zWe+uxqgv+wslZwrVu8Q3tUPN0kXhMLpI2
y0yk3LAHQA4mSrYx3Pq+MiJWNsFCzVOAIAkUn44dNbGlMaNBT7QhMGdCKYh/ovjj
uS0W2sUqe08k9WmoJ348DpCd5nl5/M0dM8wA+nKvAgMBAAGjggGtMIIBqTAJBgNV
HRMEAjAAMAsGA1UdDwQEAwIFoDA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vU1ZS
SW50bC1jcmwudmVyaXNpZ24uY29tL1NWUkludGwuY3JsMEQGA1UdIAQ9MDswOQYL
YIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24u
Y29tL3JwYTAoBgNVHSUEITAfBglghkgBhvhCBAEGCCsGAQUFBwMBBggrBgEFBQcD
AjBxBggrBgEFBQcBAQRlMGMwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
aWduLmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL1NWUkludGwtYWlhLnZlcmlzaWdu
LmNvbS9TVlJJbnRsLWFpYS5jZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJ
aW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYk
aHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEB
BQUAA4GBALNNvyO0ERPLneCUnPOK2uJyiUrDNkcMZ/86Y0VTTCaxQVg5tplS7AkJ
tUyr9aVF2aFC8xXjnAtrTOyhrjbSYd2EQOlSziBfehq5WWrWFgbnnN2FDaxJ+xQa
xZGZnheUB1PpORQCcmMFUjtr5gnQRGF8h+rqiOl0+YO6I1ns+3wu
-----END CERTIFICATE-----
subject=/C=US/ST=Massachusetts/L=Cambridge/O=huite jioter Inc/OU=IMS/CN=www.newrule.com
issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
---
No client certificate CA names sent
---
SSL handshake has read 1312 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported <------- i want to make this NOT supported.
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 8A1012E7FB8E21B8D4A499EA2F5923A39CB82625A4E3DA445F17E27397E27490
Session-ID-ctx:
Master-Key: ED3A9CC45C7CAF6502F83A38D09BED85D16D0F7B345BC38AB04CFAA7D6686ACE710A69CC8B25659AD342696CEDA07D04
Key-Arg : None
Krb5 Principal: None
Start Time: 1320242009
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)


I have read in article that it is common vulnerability in openssl 0.9.8e package, and just updating to openssl 1.0 is not done by yum update openssl, we will have to compile it but that is not recommended. the site www.newrule.com is in live use we can not simply update httpd too.

So what should I do/ and How should I disable the SSL Renegotiation?
Any patch available? If yes what data I have to backup before applying the patch?

I have this patch 'SSLInsecureRenegotiation_httpd_2_0_x-backport-r917044.patch" But should I apply it? will it disable SSL Renegotiation?
Will my current configuration get affected by this patch? and lastly how to apply this patch if it needed to be?


Please Guide me.
 
0 members found this post helpful.
Old 11-02-2011, 12:19 PM   #10
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 5,989
Blog Entries: 5

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
CentOS is a binary recompile of RHEL (RedHat Enterprise Linux) source.

RHEL and its derivatives unlike other Linux distros continues to use the same base upstream package (e.g. your SSL 0.9.8e) throughout its life. However, RHEL, backports security and bug fixes into their version so you have to look at the extended version which is 0.9.8e-fips-rhel5. You'd then need to determine if the security issue you're concerned with exists in the RHEL (CentOS) version as it likely does NOT if you're at the latest one provided by yum repositories.

Many security scanners don't bother to look at the extended versioning of RHEL packages so will often falsely report you have security vulnerabilities that you do NOT have. So long as you can determine what vulnerability (ideally the CVE #) they say you have you can generally show where that has been addressed in your RHEL extended version. Also to prevent the scanner from reporting it anyway for many things you can (and should) hide the version from scans anyway. Not only does it prevent the false reports it also prevents hackers from determining exactly which version you have.
 
0 members found this post helpful.
Old 11-02-2011, 12:54 PM   #11
manalisharmabe
Member
 
Registered: Dec 2010
Posts: 240

Original Poster
Rep: Reputation: 1
MensaWater thanks for you words,
But how to disable SSL REnegotiation?
 
0 members found this post helpful.
Old 11-02-2011, 01:28 PM   #12
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 5,989
Blog Entries: 5

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
You might want to review this from RedHat regarding secure renegotiation:

https://access.redhat.com/kb/docs/DOC-20491
 
Old 11-03-2011, 08:30 AM   #13
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
manalisharmabe, this is now your THIRD thread in this forum inside of one week on this same subject of diabling SSL/TLS Renegotiation. I am sorry if you are not getting the desired answer, but please stop starting a new thread with the question rephrased in the hopes of getting a different answer. This is thread has been reported.
 
1 members found this post helpful.
Old 11-03-2011, 07:18 PM   #14
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,456

Rep: Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538
Quote:
Originally Posted by manalisharmabe View Post
MensaWater thanks for you words,
But how to disable SSL REnegotiation?
You follow the instructions given to you several times previously. What HAVE you done/tried?? Anything that's been suggested? Restart the service??

Asking the same question over and over will NOT get you different answers.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenSSL TLS Server Extension Parsing Race Condition Vulnerability win32sux Linux - Security 0 11-16-2010 04:30 PM
Vulnerability in OpenSSL 1.0.x win32sux Linux - Security 1 08-15-2010 07:36 AM
Debian OpenSSL Vulnerability may affect other distro servers as well rickh Linux - Security 5 05-16-2008 10:35 AM
nessus scan - openssl vulnerability neocontrol Linux - Security 1 02-25-2007 03:25 PM
WARN: OpenSSL NULL Pointer Assignment vulnerability unSpawn Linux - Security 1 03-18-2004 12:11 PM


All times are GMT -5. The time now is 12:53 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration