Secure Renegotiation is not supported

Description

When a server does not support secure renegotiation in SSL/TLS connections, it becomes vulnerable to content injection at the start of sessions. This vulnerability requires the server to also support client-initiated renegotiations.

Recommendation

To address this vulnerability, update the web server application and configure it according to the vendor’s recommendations for production environments. Below is the configuration for Apache HTTP Server.

Set below directive in Apache configuration:

  SSLOptions +StdEnvVars

And add below variable to your environment variables:

  SSL_SECURE_RENEG=true

References

• Apache Module mod_ssl
• CVE-2009-3555
• CWE-16
• CWE-310
• CAPEC-310
• OWASP 2021-A2
• OWASP 2021-A5
• OWASP 2021-A6

Related Issues

• BREACH attack - CVE-2013-3587
• CRIME (SPDY) attack - CVE-2012-4930
• CRIME (SSL/TLS) attack - CVE-2012-4929
• The POODLE attack - CVE-2014-3566

Tags:

Secure Renegotiation

SSL/TLS

Content Injection

Server Misconfiguration