Renegotiation vulnerability (CVE-2011-1473) in OpenSSL 1.0.2

Matt Caswell matt at openssl.org
Thu Sep 28 11:06:44 UTC 2023 


On 28/09/2023 11:23, Manish Patidar wrote:
> Thanks Mark for your reply.
> 
> We have extended support for this Version.

To access extended support for advice on this please raise an issue via 
your organisation's login to github.openssl.org.

Matt

> 
> Is there any way to avoid this vulnerability  ?
> 
> 
> 
> On Tue, Sep 26, 2023 at 10:38 PM Mark Hack <markhack at markhack.com 
> <mailto:markhack at markhack.com>> wrote:
> 
>     The MITRE CVE dictionary describes this issue as:
> 
>     ** DISPUTED ** OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does
>     not properly restrict client-initiated renegotiation within the SSL
>     and TLS protocols, which might make it easier for remote attackers
>     to cause a denial of service (CPU consumption) by performing many
>     renegotiations within a single connection, a different vulnerability
>     than CVE-2011-5094. NOTE: it can also be argued that it is the
>     responsibility of server deployments, not a security library, to
>     prevent or limit renegotiation when it is inappropriate within a
>     specific environment.
> 
> 
>     Besides this being a questionable CVE, the version you are using
>     went EOS a long time ago unless you have an extended contract.
> 
>     Regards
> 
>     Mark Hack
> 
>     On 9/26/23 11:56, Manish Patidar wrote:
>>     Hi
>>       Our product is using OpenSSL 1.0.2 , one of the vulnerability
>>     scan tool reported vulnerability : CVE-2011-1473.
>>       Vulnerability description:
>>       Opensl doesn't properly restrict client-initiated renegotiation
>>     within the SSL and TLS protocols, which might make it easier for
>>     remote attackers to cause a denial of service (CPU consumption) by
>>     performing many renegotiations within a single connection.
>>
>>       Only solution available for this vulnerability, is to disable
>>     renegotiation using SSL_OP_NO_RENEGOTIATION option. But this
>>     option is not available in the OpenSSL 1.0.2 version.
>>
>>       Any suggestions, how to fix this vulnerability in OpenSSL 1.0.2
>>     version.
>>
>>      Regards
>>      Manish
>>
>>

More information about the openssl-users mailing list