Client Initiated Renegotiation False Positive
vbisbest opened this issue · comments
I am getting false positives for client renegotiation. Example:
`sslyze www.adidas.com --reneg
CHECKING CONNECTIVITY TO SERVER(S)
www.adidas.com:443 => 23.56.99.67
SCAN RESULTS FOR WWW.ADIDAS.COM:443 - 23.56.99.67
- Session Renegotiation:
Client Renegotiation DoS Attack: VULNERABLE - Server honors client-initiated renegotiations
Secure Renegotiation: OK - Supported
SCANS COMPLETED IN 1.592417 S
COMPLIANCE AGAINST MOZILLA TLS CONFIGURATION
Disabled; use --mozilla_config={old, intermediate, modern}.`
Both SSL Labs and TestSSL script returns false. e.g.
`
Testing for Renegotiation vulnerabilities
Secure Renegotiation (RFC 5746) OpenSSL handshake didn't succeed
Secure Client-Initiated Renegotiation not vulnerable (OK)
Done 2024-02-06 12:04:35 [0021s] -->> 23.56.99.66:443 (www.adidas.com) <<--
`
Hello,
I am not sure about the other tools but I am able to trigger a renegotiation using just the openssl s_client
:
$ openssl s_client -tlsv12 -connect WWW.ADIDAS.COM:443
[...]
R
RENEGOTIATING
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = DE, ST = Bayern, L = Herzogenaurach, O = adidas AG, CN = www.adidas.com
verify return:1
This is what SSLyze tests for.