Secure Renegotiation is not supported
Impact: Low
Description
It is possible to inject content into the start of sessions when the server does not support secure renegotiation in the SSL/TLS connections. The server should also support client-initiated renegotiations to be vulnerable to this vulnerability.
Recommendation
Update the webserver application and use the vendor-suggested configurations for production. Below is the configuration for Apache HTTP Server.
Set below directive in Apache configuration:
SSLOptions +StdEnvVars
And add below variable to your environment variables:
SSL_SECURE_RENEG=true
References
👉 You might also like:
CRIME (SPDY) attack - CVE-2012-4930
CRIME (SSL/TLS) attack - CVE-2012-4929
The POODLE attack - CVE-2014-3566
BREACH attack - Vulnerability
Last updated on September 01, 2021