How to secure client-initiated SSL renegotiation

The SSL encryption uses a negotiation process that needs more resources on the server than on the client. Therefore, if the client can initiate the renegotiation process, an attacker can render the server unavailable with a Denial of Service attack.

Security Assessment

Security_Assessment_ SecureClient-InitiatedSSLRenegotiation

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Vulnerability Information

The negotiation process of the SSL encryption uses significantly more resources on the server than on the client. Therefore, if the client can initiate the renegotiation process, an attacker can render the server unavailable with a Denial of Service attack.

The SSL renegotiation flaw can affect different types of systems. It is caused by a vulnerability in the client-initiated renegotiation of SSL/TLS for existing server connections. 

Some of the symptoms of renegotiation issues include:

  • It fails in the case of a virtual server processing SSL connections
  • There are BIG-IP system error messages logged about SSL handshake/renegotiation
  • The virtual server rejecting renegotiation attempts is logged in the SSL statistics

In a nutshell, the SSL communication — or handshake process — entails exchanging messages between the server and the client. They define the settings of the encrypted communication, including enabled cipher suites, protocol version, renegotiation security, and others. 

The SSL handshake contains components like ClientHello, ServerHello, Server’s certificate, ServerHelloDone, ClientKeyExchange, ChangeCipherSpec, Finished, Renegotiated SSL sessions, and Renegotiation settings. 

The last two components relate to the SSL renegotiation. The initial handshake process can be renegotiated with different cryptographic parameters if necessary. The other options for a renegotiation setting include how the renegotiation requests are processed, period (renegotiation after a certain period), size (after a certain amount of data), and max record delay (number of delayed records), among others. 

How to prevent insecure client-initiated SSL renegotiation

This problem has been fixed in recent webserver versions. E.g., the latest versions of Apache and Nginx do not allow client-initiated SSL renegotiation.

Therefore make sure that your webserver is up-to-date.

E.g., run:

apt-get update; apt-get upgrade # Debian / Ubuntu
yum update # RHeL / CentOS
pacman -Syu # Arch Linux

If your web server does not prevent this by default, you need to ensure to disable the Client-Initiated SSL Renegotiation. Only the server should be allowed to initiate a renegotiation of the SSL/TLS connection.

If you have any questions about SSL/TLS implementation or have any challenges, please let us know, and we are happy to provide solutions to your challenge.