Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unbound accept client initiated renegotiation #49

Closed
yegle opened this issue Jul 18, 2019 · 3 comments

Comments

@yegle
Copy link

commented Jul 18, 2019

pip3 install sslyze
sslyze --reneg $HOSTNAME:853

Result:

$ sslyze nuc.apkay.com:853 --reneg



 AVAILABLE PLUGINS
 -----------------

  CompressionPlugin
  RobotPlugin
  CertificateInfoPlugin
  FallbackScsvPlugin
  SessionRenegotiationPlugin
  SessionResumptionPlugin
  HttpHeadersPlugin
  EarlyDataPlugin
  OpenSslCipherSuitesPlugin
  OpenSslCcsInjectionPlugin
  HeartbleedPlugin



 CHECKING HOST(S) AVAILABILITY
 -----------------------------

   example.com:853                       => XXXXX




 SCAN RESULTS FOR example.com:XXXXX
 ----------------------------------------------------------------------------

 * Session Renegotiation:
       Client-initiated Renegotiation:    VULNERABLE - Server honors client-initiated renegotiations
       Secure Renegotiation:              OK - Supported


 SCAN COMPLETED IN 0.18 S
 ------------------------
@wcawijngaards

This comment has been minimized.

Copy link
Member

commented Jul 19, 2019

Thanks for the check! The code did not have the SSL_OP_NO_RENEGOTIATION set on the context. The option requires an up to date version of openssl, but then I set it on all the SSL contexts.

@wcawijngaards

This comment has been minimized.

Copy link
Member

commented Jul 19, 2019

I also fixed this in NSD, by the way. NLnetLabs/nsd@68742ad

@wcawijngaards wcawijngaards self-assigned this Jul 19, 2019

@yegle

This comment has been minimized.

Copy link
Author

commented Jul 19, 2019

Confirm fixed (at least sslyze no longer report the issue).

Any chance to release a new version with this included since this has the potential of being used to do DoS?

jedisct1 added a commit to jedisct1/unbound that referenced this issue Jul 24, 2019
Merge remote-tracking branch 'nlnet/master'
* nlnet/master:
  - Fix question section mismatch in local zone redirect.
  Fixup space in error message.
  - Fix NLnetLabs#49: Set no renegotiation on the SSL context to stop client   session renegotiation.
  - Fix NLnetLabs#48: Unbound returns additional records on NODATA response,   if minimal-responses is enabled, also the additional for negative   responses is removed.
  -  Fix in respip addrtree selection. Absence of addr_tree_init_parents() call    made it impossible to go up the tree when the matching netmask is too    specific.
  - Fix for possible assertion failure when answering respip CNAME from cache.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.