Re: SSL/TLS remove/disable renegotiation capabilities
- In reply to: Robert Fitzpatrick : "SSL/TLS remove/disable renegotiation capabilities"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 19 Oct 2023 13:27:44 UTC
> Robert Fitzpatrick <mailto:robert@webtent.org> > Thursday, October 19, 2023 9:18 AM > As a result of a recent vulnerability scan using the GVM 22.4 scanning > FreeBSD 13.2, it is recommended to remove/disable renegotiation > capabilities altogether from/in the affected SSL/TLS service for a > MEDIUM vulnerability CVE-2011-1473. Looking further t the CVE shows > DISPUTED, furthermore, it looks like our version of OpenSSL is not > affected? robert@gvm:~$ openssl version OpenSSL 3.0.2 15 Mar 2022 > (Library: OpenSSL 3.0.2 15 Mar 2022) CVE: > http://cve.circl.lu/cve/CVE-2011-1473 The host manager of the FreeBSD > VM will want this mitigated, how could I apply the > |SSL_OP_NO_RENEGOTIATION|option to openssl or other solution? Actually, this is the result of a second CVE: http://cve.circl.lu/cve/CVE-2011-5094 -- Thanks, Robert