Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unbound accept client initiated renegotiation #49

Closed
yegle opened this issue Jul 18, 2019 · 3 comments
Closed

Unbound accept client initiated renegotiation #49

yegle opened this issue Jul 18, 2019 · 3 comments
Assignees

Comments

@yegle
Copy link

@yegle yegle commented Jul 18, 2019

pip3 install sslyze
sslyze --reneg $HOSTNAME:853

Result:

$ sslyze nuc.apkay.com:853 --reneg



 AVAILABLE PLUGINS
 -----------------

  CompressionPlugin
  RobotPlugin
  CertificateInfoPlugin
  FallbackScsvPlugin
  SessionRenegotiationPlugin
  SessionResumptionPlugin
  HttpHeadersPlugin
  EarlyDataPlugin
  OpenSslCipherSuitesPlugin
  OpenSslCcsInjectionPlugin
  HeartbleedPlugin



 CHECKING HOST(S) AVAILABILITY
 -----------------------------

   example.com:853                       => XXXXX




 SCAN RESULTS FOR example.com:XXXXX
 ----------------------------------------------------------------------------

 * Session Renegotiation:
       Client-initiated Renegotiation:    VULNERABLE - Server honors client-initiated renegotiations
       Secure Renegotiation:              OK - Supported


 SCAN COMPLETED IN 0.18 S
 ------------------------
@wcawijngaards
Copy link
Member

@wcawijngaards wcawijngaards commented Jul 19, 2019

Thanks for the check! The code did not have the SSL_OP_NO_RENEGOTIATION set on the context. The option requires an up to date version of openssl, but then I set it on all the SSL contexts.

Loading

@wcawijngaards
Copy link
Member

@wcawijngaards wcawijngaards commented Jul 19, 2019

I also fixed this in NSD, by the way. NLnetLabs/nsd@68742ad

Loading

@wcawijngaards wcawijngaards self-assigned this Jul 19, 2019
@yegle
Copy link
Author

@yegle yegle commented Jul 19, 2019

Confirm fixed (at least sslyze no longer report the issue).

Any chance to release a new version with this included since this has the potential of being used to do DoS?

Loading

jedisct1 added a commit to jedisct1/unbound that referenced this issue Jul 24, 2019
* nlnet/master:
  - Fix question section mismatch in local zone redirect.
  Fixup space in error message.
  - Fix NLnetLabs#49: Set no renegotiation on the SSL context to stop client   session renegotiation.
  - Fix NLnetLabs#48: Unbound returns additional records on NODATA response,   if minimal-responses is enabled, also the additional for negative   responses is removed.
  -  Fix in respip addrtree selection. Absence of addr_tree_init_parents() call    made it impossible to go up the tree when the matching netmask is too    specific.
  - Fix for possible assertion failure when answering respip CNAME from cache.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants