vandewater I have a fresh install of 2022.12.1 from ISO. It's been hardened with the CIS SUSE Linux benchmark (in case that matters.) I've just run a vulnerability scan, and the gromox services (https, imap, pop3) are coming back as vulnerable to 'SSL/TLS: Renegotiation DoS Vulnerability'. Is there an option somewhere to disable client-side requested renegotiation? Thanks!
vandewater As an update, adding SSL_OP_NO_RENEGOTIATION system-wide at /etc/ssl/openssl.cnf had no effect.
crpb I tested with testssl testssl [-t smtp|pop|imap] host.domain.tld[:smtp|:pop|:imap] either one or none for https... Postfix/SMTP postconf tls_ssl_options=NO_RENEGOTIATION Nginx/HTTPS Didn't fail on my hosts Gromox/POP+IMAP @jengelh any thoughts?
jengelh adding SSL_OP_NO_RENEGOTIATION system-wide at /etc/ssl/openssl.cnf had no effect I do not think you are supposed to just aimlessly add SSL_OP_NO_RENEGOTIATION to openssl.cnf. That is not documented in openssl.cnf(5). I tested with testssl You do not need any external programs for that. https://community.akamai.com/customers/s/article/How-to-test-Client-TLS-Renegotiation (https://nvd.nist.gov/vuln/detail/cve-2011-1473 is also under dispute.) By my tests, openssl 1.1.x allows renego and openssl 3.x does not. So it appears to depend on the version used during build.
vandewater I do not think you are supposed to just aimlessly add SSL_OP_NO_RENEGOTIATION to openssl.cnf. That is not documented in openssl.cnf(5). Was a hail mary based on suggestions for other issues from non-grommunio apps. https://nvd.nist.gov/vuln/detail/cve-2011-1473 is also under dispute Under dispute that it should be disabled by the server, not openSSL, which in this instance I read as grommunio (maybe a feature enhancement request?) By my tests, openssl 1.1.x allows renego and openssl 3.x does not. Hey good catch, I'll try 3.x Thanks for your time!