Secure Renegotiation is not supported

Impact: Low

Description

When a server does not support secure renegotiation in SSL/TLS connections, it becomes vulnerable to content injection at the start of sessions. This vulnerability requires the server to also support client-initiated renegotiations.

Recommendation

To address this vulnerability, update the web server application and configure it according to the vendor’s recommendations for production environments. Below is the configuration for Apache HTTP Server.

Set below directive in Apache configuration:

  SSLOptions +StdEnvVars

And add below variable to your environment variables:

  SSL_SECURE_RENEG=true

References

Apache Module mod_ssl
CVE-2009-3555
CWE-16
CWE-310
OWASP 2021-A2
OWASP 2021-A5
OWASP 2021-A6

👉 You might also like:

BREACH attack - CVE-2013-3587

CRIME (SPDY) attack - CVE-2012-4930

CRIME (SSL/TLS) attack - CVE-2012-4929

The POODLE attack - CVE-2014-3566

Last updated on May 13, 2024

Secure Renegotiation is not supported

Description

Recommendation

References

Use SmartScanner Free version to test for this issue