I have a fresh install of 2022.12.1 from ISO. It's been hardened with the CIS SUSE Linux benchmark (in case that matters.) I've just run a vulnerability scan, and the gromox services (https, imap, pop3) are coming back as vulnerable to 'SSL/TLS: Renegotiation DoS Vulnerability'. Is there an option somewhere to disable client-side requested renegotiation? Thanks!
As an update, adding SSL_OP_NO_RENEGOTIATION system-wide at /etc/ssl/openssl.cnf had no effect.
I tested with testssl
testssl [-t smtp|pop|imap] host.domain.tld[:smtp|:pop|:imap] either one or none for https...
testssl [-t smtp|pop|imap] host.domain.tld[:smtp|:pop|:imap]
postconf tls_ssl_options=NO_RENEGOTIATION
adding SSL_OP_NO_RENEGOTIATION system-wide at /etc/ssl/openssl.cnf had no effect
I do not think you are supposed to just aimlessly add SSL_OP_NO_RENEGOTIATION to openssl.cnf. That is not documented in openssl.cnf(5).
You do not need any external programs for that. https://community.akamai.com/customers/s/article/How-to-test-Client-TLS-Renegotiation (https://nvd.nist.gov/vuln/detail/cve-2011-1473 is also under dispute.)
By my tests, openssl 1.1.x allows renego and openssl 3.x does not. So it appears to depend on the version used during build.
jengelh You do not need any external programs for that.
yeah but i'm lazy 😛
Was a hail mary based on suggestions for other issues from non-grommunio apps.
https://nvd.nist.gov/vuln/detail/cve-2011-1473 is also under dispute
Under dispute that it should be disabled by the server, not openSSL, which in this instance I read as grommunio (maybe a feature enhancement request?)
By my tests, openssl 1.1.x allows renego and openssl 3.x does not.
Hey good catch, I'll try 3.x
Thanks for your time!
gromox-2.4-102-gda121580b
jengelh You deserve a pint!
© 2020-2023 grommunio GmbH. All rights reserved. | https://grommunio.com | Data Protection | Imprint
