Renegotiation vulnerability (CVE-2011-1473) in OpenSSL 1.0.2

[Manish Patidar]

Thanks Mark for your reply.

We have extended support for this Version.

Is there any way to avoid this vulnerability  ?



On Tue, Sep 26, 2023 at 10:38 PM Mark Hack <markhack at markhack.com> wrote:

> The MITRE CVE dictionary describes this issue as:
>
> ** DISPUTED ** OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not
> properly restrict client-initiated renegotiation within the SSL and TLS
> protocols, which might make it easier for remote attackers to cause a
> denial of service (CPU consumption) by performing many renegotiations
> within a single connection, a different vulnerability than CVE-2011-5094.
> NOTE: it can also be argued that it is the responsibility of server
> deployments, not a security library, to prevent or limit renegotiation when
> it is inappropriate within a specific environment.
>
>
> Besides this being a questionable CVE, the version you are using went EOS
> a long time ago unless you have an extended contract.
>
> Regards
>
> Mark Hack
>
> On 9/26/23 11:56, Manish Patidar wrote:
>
> Hi
>   Our product is using OpenSSL 1.0.2 , one of the vulnerability scan tool
> reported vulnerability : CVE-2011-1473.
>   Vulnerability description:
>   Opensl doesn't properly restrict client-initiated renegotiation within
> the SSL and TLS protocols, which might make it easier for remote attackers
> to cause a denial of service (CPU consumption) by performing many
> renegotiations within a single connection.
>
>   Only solution available for this vulnerability, is to disable
> renegotiation using SSL_OP_NO_RENEGOTIATION option. But this option is not
> available in the OpenSSL 1.0.2 version.
>
>   Any suggestions, how to fix this vulnerability in OpenSSL 1.0.2 version.
>
>  Regards
>  Manish
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230928/e129c391/attachment.htm>