EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TLS Protocol Session Renegotiation Security Vulnerability

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
Posted: 04/10/2013 17:05:48
by Darian Miller (Standard support level)
Joined: 06/27/2011
Posts: 47

A new web scanner was installed that throws the warning below on an Indy HTTPS server using SBB9 transport. Have you seen this before? Is there a workaround/fix available?


Threat Name ID Port Risk
TLS Protocol Session Renegotiation Security Vulnerability misc_opensslrenegotiation 443/TCP medium

The vulnerability allows man-in-the-middle attack.

The Multiple Vendor TLS Protocol Session Renegotiation Security vulnerability was reported in
[http://www.securityfocus.com/bid/36935/] Bugtraq ID 36935.


Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability
CVE 2009-3555
Multiple vendors TLS protocol implementations are prone to a security vulnerability related to the session-renegotiation process which
allows man-in-the-middle attackers to insert data into HTTPS sessions,
and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a
server in a post-renegotiation context.

For OpenSSL, [http://www.openssl.org/source/] upgrade to
0.9.8l or higher.
For Microsoft IIS web servers, install the appropriate patch available through
Microsoft Security Bulletin 10-049.
For other types of products, consult the product

Service: 443:TCP Session Renegotiation succeeded on 443:TCP
Posted: 04/11/2013 01:48:35
by Ken Ivanov (EldoS Corp.)

Hello Darian,

Please have a look at this knowledgebase article, it explains in detail what to do to make your code secure with regard to the renegotiation vulnerability.



Topic viewed 2072 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!