SSL: Key Renegotiation
This protocol anomaly triggers when it detects SSL renegotiation. SSL renegotiation is a new SSL handshake in an established SSL session (with the existing tcp connection). It is encrypted and sent over an existing SSL session. Renegotiation is useful when either/both of the participants want to use different set of keys or hash algorithms and for client authentication over secure connections. According to the 2009 OpenSSL source change log (11/05/2009): Disabling renegotiation completely fixes a severe security problem (CVE-2009-3555), but at the cost of breaking all renegotiations.
Extended Description
Multiple vendors' TLS protocol implementations are prone to a security vulnerability related to the session-renegotiation process. Successful exploits of this issue may allow attackers to perform limited man-in-the-middle attacks against vulnerable applications. Note that this issue does not allow attackers to decrypt encrypted data.
Affected Products
Cisco wireless_lan_control,Sun java_system_web_server,Opera_software opera_web_browser
Short Name
SSL:AUDIT:KEY-RENEGOTIATION
Severity
Minor
Recommended
True
Recommended Action
None
Category
SSL
Keywords
CVE-2009-3555 SSL key renegotiation
Release Date
09/02/2009
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3339
False Positive
Unknown
Vendors
Blue_coat_systems
Balabit
Sun
Gnu
Oracle
Slackware
Openvpn
Apache_software_foundation
Proftpd_project
Gentoo
Opera_software
Hp
Mozilla
Avaya
Ingate
Openoffice
Pardus
Ubuntu
Novell
Debian
Openssl_project
Voodoo_circle
Linksys
Ibm
Aruba_networks
Zeus_technology
Freebsd
Mandriva
Suse
Microsoft
F5
Red_hat
Research_in_motion
Cisco
Apple
Matrixssl
Rpath
Turbolinux
Hitachi
Innominate
Bsd_perimeter
Citrix
Netbsd
Vmware
CVSS Score
5.8