Re: [exim] Secure Client-Initiated Renegotiation

Top Page
Delete this message
Reply to this message
Author: Martin Preen
Date:  
To: exim-users
Subject: Re: [exim] Secure Client-Initiated Renegotiation
Hans Morten Kind wrote:
> We were alarmed by the DROWNattack on Tuesday and started running
> http://testssl.sh to find forgotten servers still running SSLv2 (or SSLv3).
> There were not many left ...
>
> But I also ran testssl.sh towards exim-servers offering TLS, and got an alarm on
> Secure Client-Initiated Renegotiation, telling me not only "VULNERABLE (NOT ok)"
> but also "DoS threat"!
>
> We are running on RHEL6 servers with openssl from their repos, exim is
> home-compiled and tested with versions 4.84 and 4.86, I have also tested exim
> linked with a clean build of openssl-1.0.1s
>
> I have played with openssl_options and the parameters of
> allow_unsafe_legacy_renegotiation, no_session_resumption_on_renegotiation and
> legacy_server_connect, but am still getting the alarm from testssl.
>
> The test is run something like this on exim started with -tls-on-connect
>    echo R | openssl s_client -connect exim:465
> exim seems to accept the RENEGOTIATING while a standard Apache httpd
> is closing the connection with "ssl handshake failure" after ie
>    echo R | openssl s_client -connect httpd:443

>
> Is there any way to turn this "feature" off?


I'm not sure, but maybe it's a false positive.
According to https://recordnotfound.com/testssl-sh-drwetter-10514/issues
there is such a issue with tesstssl.

Martin

----------------------------------------------------------------------
Martin Preen, Universität Freiburg, Institut für Informatik
Georges-Koehler-Allee 52, Raum EG-006, 79110 Freiburg, Germany

phone: ++49 761 203-8250    preen@???
fax: ++49 761 203-8242      swt.informatik.uni-freiburg.de/staff/preen