False positive when testing for client-initiated renegotiation DoS attack #473
Comments
|
I started working on this, but am somewhat lost at the cli interface - the flag itself is working, but when I set it only the renegotiation job is executed... |
|
Thanks for the bug report. I ended up updating the check to try 10 client renegotiations in a row, in order to be sure 100% sure. I think this should be enough to fix this problem? |
|
I bumped it to 15 based on your message in #38:
|
nabla-c0d3
changed the title
|
The fix was released as part of v4.0.0. |
|
@FallenHero66 Please re-open this issue if I missed something or if my fix wasn't correct. Thanks! |
|
Hello @nabla-c0d3, and thank you for looking into this! I hope this information was helpful! EDIT: I cannot reopen this issue by the way, as you closed it |
|
@FallenHero66 would you be able to send me the server where this behavior is happening? |
|
@nabla-c0d3 is there a way to contact you privately? As it is the server of a customer, I would like to avoid disclosing it publicly EDIT: I will send it to your e-mail, if you do not mind. |
|
After looking into this I think the current approach works, so this is indeed fixed. |
As Issue #38 states, there are some cases where one renegotiation attempt is not a safe factor for a vulnerability against client-initiated renegotiation attempts DoS.
Running into this issue with BIG-IP for example, I suggest the addition of a flag which allows for setting a certain amount of retries.
This flag would probably have to be capped to a maximum (suggestions?) though, as otherwise it would allow for carrying out the actual attack.
The text was updated successfully, but these errors were encountered: