FR: "disable" client initiated renegotiation
vtracnagios opened this issue · 0 comments
vtracnagios commented
A client request that we "disable" client initiated renegotiation for NCPA.
The client initiated renegotiation (even though secure) which can potentially lead to DoS attacks.
Ticket 10659:
https://nagiosenterprises.lightning.force.com/lightning/r/Case/500Vm00000A6YUIIA3/view
Here's the description from the above ticket:
HI Team,
We have vulnerability reported by our client on the NCPA agent for the port 5693.they are asking to disable the Renegotiation. COuld you please help with this.
Although the SSL supports secure renegotiation, it is recommended to disable the renegotiation on the server side to prevent any attacks using this feature.
As part of Pentest we test for following 2 cases:
- Is client initiated renegotiation enabled
- If yes, does it support secure renegotiation
In this services, we see that "secure" renegotiation is supported. Hence we do not see the
vulnerability that allows a "man-in-the-middle" attacker to inject data into an HTTPS session
and execute requests on behalf of the victim.
However, it supports client initiated renegotiation (even though secure) which can potentially lead to DoS attacks.