Test tomcat for ssl renegotiation vulnerability
Posted
by
Jim
on Server Fault
See other posts from Server Fault
or by Jim
Published on 2012-11-27T10:01:30Z
Indexed on
2012/11/27
11:06 UTC
Read the original article
Hit count: 247
How can I test if my server is vulnerable for SSL renegotiation?
I tried the following (using OpenSSL 0.9.8j-fips 07 Jan 2009:
openssl s_client -connect 10.2.10.54:443
I see it connects, it brings the certificate chain, it shows the server certificate, and last:
SSL handshake has read 2275 bytes and written 465 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 50B4839724D2A1E7C515EB056FF4C0E57211B1D35253412053534C4A20202020
Session-ID-ctx:
Master-Key: 7BC673D771D05599272E120D66477D44A2AF4CC83490CB3FDDCF62CB3FE67ECD051D6A3E9F143AE7C1BA39D0BF3510D4
Key-Arg : None
Start Time: 1354008417
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
What does Secure Renegotiation IS supported mean? That SSL renegotiation is allowed?
Then I did but did not get an exception or get the certificate again:
verify error:num=20:unable to get local issuer certificate
verify return:1
verify error:num=27:certificate not trusted
verify return:1
verify error:num=21:unable to verify the first certificate
verify return:1
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 174
Date: Tue, 27 Nov 2012 09:13:14 GMT
Connection: close
So is the server vulnerable to SSL renegotiation or not?
© Server Fault or respective owner
