Re: SSL/TLS remove/disable renegotiation capabilities

From: Robert Fitzpatrick <robert_at_webtent.org>
Date: Thu, 19 Oct 2023 13:27:44 UTC
> Robert Fitzpatrick <mailto:robert@webtent.org>
> Thursday, October 19, 2023 9:18 AM
> As a result of a recent vulnerability scan using the GVM 22.4 scanning 
> FreeBSD 13.2, it is recommended to remove/disable renegotiation 
> capabilities altogether from/in the affected SSL/TLS service for a 
> MEDIUM vulnerability CVE-2011-1473. Looking further t the CVE shows 
> DISPUTED, furthermore, it looks like our version of OpenSSL is not 
> affected? robert@gvm:~$ openssl version OpenSSL 3.0.2 15 Mar 2022 
> (Library: OpenSSL 3.0.2 15 Mar 2022) CVE: 
> http://cve.circl.lu/cve/CVE-2011-1473 The host manager of the FreeBSD 
> VM will want this mitigated, how could I apply the
> |SSL_OP_NO_RENEGOTIATION|option to openssl or other solution?
Actually, this is the result of a second CVE: 
http://cve.circl.lu/cve/CVE-2011-5094

-- 
Thanks, Robert