SSL/TLS remove/disable renegotiation capabilities
- Reply: Robert Fitzpatrick : "Re: SSL/TLS remove/disable renegotiation capabilities"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 19 Oct 2023 13:18:40 UTC
As a result of a recent vulnerability scan using the GVM 22.4 scanning FreeBSD 13.2, it is recommended to remove/disable renegotiation capabilities altogether from/in the affected SSL/TLS service for a MEDIUM vulnerability CVE-2011-1473. Looking further t the CVE shows DISPUTED, furthermore, it looks like our version of OpenSSL is not affected? robert@gvm:~$ openssl version OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) CVE: http://cve.circl.lu/cve/CVE-2011-1473 The host manager of the FreeBSD VM will want this mitigated, how could I apply the |SSL_OP_NO_RENEGOTIATION|option to openssl or other solution? -- Thanks, Robert