Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unbound accept client initiated renegotiation #49

Closed
yegle opened this issue Jul 18, 2019 · 3 comments
Closed

Unbound accept client initiated renegotiation #49

yegle opened this issue Jul 18, 2019 · 3 comments
Assignees
@wcawijngaards

Comments

@yegle
Copy link

yegle commented Jul 18, 2019
edited
Loading 

pip3 install sslyze
sslyze --reneg $HOSTNAME:853

Result:

$ sslyze example.com:853 --reneg



 AVAILABLE PLUGINS
 -----------------

  CompressionPlugin
  RobotPlugin
  CertificateInfoPlugin
  FallbackScsvPlugin
  SessionRenegotiationPlugin
  SessionResumptionPlugin
  HttpHeadersPlugin
  EarlyDataPlugin
  OpenSslCipherSuitesPlugin
  OpenSslCcsInjectionPlugin
  HeartbleedPlugin



 CHECKING HOST(S) AVAILABILITY
 -----------------------------

   example.com:853                       => XXXXX




 SCAN RESULTS FOR example.com:XXXXX
 ----------------------------------------------------------------------------

 * Session Renegotiation:
       Client-initiated Renegotiation:    VULNERABLE - Server honors client-initiated renegotiations
       Secure Renegotiation:              OK - Supported


 SCAN COMPLETED IN 0.18 S
 ------------------------
@wcawijngaards
Copy link
Member

Thanks for the check! The code did not have the SSL_OP_NO_RENEGOTIATION set on the context. The option requires an up to date version of openssl, but then I set it on all the SSL contexts.

@wcawijngaards
Copy link
Member

I also fixed this in NSD, by the way. NLnetLabs/nsd@68742ad

@wcawijngaards wcawijngaards self-assigned this Jul 19, 2019
@yegle
Copy link
Author

yegle commented Jul 19, 2019

Confirm fixed (at least sslyze no longer report the issue).

Any chance to release a new version with this included since this has the potential of being used to do DoS?

jedisct1 added a commit to jedisct1/unbound that referenced this issue Jul 24, 2019
@jedisct1
Merge remote-tracking branch 'nlnet/master'
d7a853f 
* nlnet/master:
  - Fix question section mismatch in local zone redirect.
  Fixup space in error message.
  - Fix NLnetLabs#49: Set no renegotiation on the SSL context to stop client   session renegotiation.
  - Fix NLnetLabs#48: Unbound returns additional records on NODATA response,   if minimal-responses is enabled, also the additional for negative   responses is removed.
  -  Fix in respip addrtree selection. Absence of addr_tree_init_parents() call    made it impossible to go up the tree when the matching netmask is too    specific.
  - Fix for possible assertion failure when answering respip CNAME from cache.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wcawijngaards wcawijngaards

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yegle @wcawijngaards