Vulnerabilities/

Secure Renegotiation is not supported

Severity:
Low

Description

When a server does not support secure renegotiation in SSL/TLS connections, it becomes vulnerable to content injection at the start of sessions. This vulnerability requires the server to also support client-initiated renegotiations.

Recommendation

To address this vulnerability, update the web server application and configure it according to the vendor’s recommendations for production environments. Below is the configuration for Apache HTTP Server.

Set below directive in Apache configuration:

  SSLOptions +StdEnvVars

And add below variable to your environment variables:

  SSL_SECURE_RENEG=true

References

Related Issues

Tags:
Secure Renegotiation
SSL/TLS
Content Injection
Server Misconfiguration
WASC-4
WASC-14
CVE-2009-3555
CWE-310
CWE-16
OWASP 2017-A3
OWASP 2021-A2
OWASP 2021-A5
OWASP 2017-A6
OWASP 2013-A5
OWASP 2021-A6
OWASP 2017-A9
CAPEC-310
Anything's wrong? Let us know Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue

Download