Re: [exim] Secure Client-Initiated Renegotiation

Top Page
Delete this message
Reply to this message
Author: Hans Morten Kind
Date:  
To: exim-users
Subject: Re: [exim] Secure Client-Initiated Renegotiation
On Fri, Mar 04, 2016 at 10:57:53AM +0100, Martin Preen wrote:
> Hans Morten Kind wrote:
>> The test is run something like this on exim started with -tls-on-connect
>>    echo R | openssl s_client -connect exim:465
>> exim seems to accept the RENEGOTIATING while a standard Apache httpd
>> is closing the connection with "ssl handshake failure" after ie
>>    echo R | openssl s_client -connect httpd:443

>>
>> Is there any way to turn this "feature" off?
>
> I'm not sure, but maybe it's a false positive.


No, as the test shows it is not a false positive.

I should have mentioned that our servers already are using
openssl_options = +no_sslv2 +no_sslv3 +cipher_server_preference
and that these tests with testssl.sh all passed excellent for exim.

The insecure user renegotiating is not exploitable to steal any
information, but it could steal your resources by rerenegotiating
with your ssl-library without involving any of exims configure.

That is why Apache httpd is closing the connection with "ssl handshake failure"
and I think exim should do too.

But I am not the one to find out of the magic of openssl

--
hmk

say SSL_get_secure_renegotiation_support to me
I say goodnight to you