Secure Renegotiation is not supported

Impact: Low

Description

It is possible to inject content into the start of sessions when the server does not support secure renegotiation in the SSL/TLS connections. The server should also support client-initiated renegotiations to be vulnerable to this vulnerability.

Recommendation

Update the webserver application and use the vendor-suggested configurations for production. Below is the configuration for Apache HTTP Server.

Set below directive in Apache configuration:

SSLOptions +StdEnvVars

And add below variable to your environment variables:

SSL_SECURE_RENEG=true

References

Apache Module mod_ssl
CWE-310
OWASP 2017-A3
OWASP 2021-A2
CVE-2009-3555
OWASP 2017-A9
OWASP 2021-A6

👉 You might also like:

CRIME (SPDY) attack - CVE-2012-4930

CRIME (SSL/TLS) attack - CVE-2012-4929

The POODLE attack - CVE-2014-3566

BREACH attack - Vulnerability

Last updated on September 01, 2021

Secure Renegotiation is not supported

Description

Recommendation

References

Use SmartScanner Free version to test for this issue