Renegotiation vulnerability (CVE-2011-1473) in OpenSSL 1.0.2
Mark Hack
markhack at markhack.com
Tue Sep 26 17:08:17 UTC 2023
The MITRE CVE dictionary describes this issue as:
** DISPUTED ** OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not
properly restrict client-initiated renegotiation within the SSL and TLS
protocols, which might make it easier for remote attackers to cause a
denial of service (CPU consumption) by performing many renegotiations
within a single connection, a different vulnerability than
CVE-2011-5094. NOTE: it can also be argued that it is the responsibility
of server deployments, not a security library, to prevent or limit
renegotiation when it is inappropriate within a specific environment.
Besides this being a questionable CVE, the version you are using went
EOS a long time ago unless you have an extended contract.
Regards
Mark Hack
On 9/26/23 11:56, Manish Patidar wrote:
> Hi
> Our product is using OpenSSL 1.0.2 , one of the vulnerability scan
> tool reported vulnerability : CVE-2011-1473.
> Vulnerability description:
> Opensl doesn't properly restrict client-initiated renegotiation
> within the SSL and TLS protocols, which might make it easier for
> remote attackers to cause a denial of service (CPU consumption) by
> performing many renegotiations within a single connection.
>
> Only solution available for this vulnerability, is to disable
> renegotiation using SSL_OP_NO_RENEGOTIATION option. But this option is
> not available in the OpenSSL 1.0.2 version.
>
> Any suggestions, how to fix this vulnerability in OpenSSL 1.0.2 version.
>
> Regards
> Manish
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230926/865c431d/attachment.htm>
More information about the openssl-users
mailing list