Mismatch between renegotiation reported vs functional

Shaun Robbins mrshaun13 at gmail.com
Thu Mar 25 21:59:32 UTC 2021


While trying to disable renegotiation the response from openssl reads
"Secure Renegotiation IS supported" even though renegotiation is failing.

OpenSSL Config:
SSL_set_options(ssl_conn, SSL_OP_NO_RENEGOTIATION);


] $openssl s_client -connect localhost:443 -tls1_2
[SNIP]
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit

*Secure Renegotiation IS supported*Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
[SNIP]
---
HEAD / HTTP/1.1
R
RENEGOTIATING
139845827855680:error:14094153:SSL routines:ssl3_read_bytes:no
renegotiation:../ssl/record/rec_layer_s3.c:1560:

This article refers to this same problem with some screen shots under
section "Eliminating a false positive":

https://www.mcafee.com/blogs/enterprise/tips-securing-ssl-renegotiation/

Thanks!
--
Shaun Robbins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210325/c8d10f0f/attachment-0001.html>


More information about the openssl-users mailing list