Re: v1.1.1: “Secure Renegotiation IS NOT supported”

[Matt Caswell]

On 28/10/2021 14:16, Felipe Gasper wrote:
> 
> 
>> On Oct 28, 2021, at 03:52, Matt Caswell <matt at openssl.org> wrote:
>>
>>
>>
>> On 27/10/2021 18:53, Felipe Gasper wrote:
>>> 	Support for secure renegotiation is a “good thing”, right? That being the case, why would the newer OpenSSL version report no support for it while the older one supports it?
>>
>> Probably TLSv1.3 is being negotiated with the newer version. In TLSv1.3 secure renegotiation is not supported because it is irrelevant. TLSv1.3 doesn't do renegotiation at all.
> 
> Ahh, thank you. That makes sense.
> 
> Would a patch that updates s_client’s verbiage be accepted?

Potentially into master, yes. Not into 3.0 or 1.1.1.


  It seems like, when TLS 1.3 is in play, the note about secure 
renegotiation should either be omitted or altered to mention that 
renegotiation support is a non-issue for this TLS version.
> 
> It also seems like the SECURE RENEGOTIATION section of OpenSSL’s docs could use a bit of update to mention that it’s only relevant for 1.2 and prior?

Fixes for the docs are always welcome - even for 3.0 and 1.1.1.


> 
> Related: apparently some security-scanning tools flag any client renegotiation support as a potential vulnerability. Apparently about 10 years back it came out that renegotiations were more expensive on the server than on the client, as a result of which it was possible for a client to run a denial-of-service attack by issuing renegotiation requests over and over. Is this still an issue, or is it something that newer OpenSSLs effectively mitigate?

Over the years there have been various problems related to 
renegotiation. From OpenSSL 3.0 client initiated reneg is disabled by 
default on the server. Note that this is different to whether the server 
claims support for "SECURE RENEGOTIATION". The server will still 
negotiate the secure renegotiation feature, but will reject attempts by 
the client to actually initiate reneg.

Matt