Nginx Question posted in
The official documentation can be found here.

Disable client-initiated secure renegotiation in nginx

I use Nginx 1.19.6 and OpenSSL 1.1.1i.
But I checked my server support client-initiated secure renegotiation… (https://www.immuniweb.com/ssl/?id=Ek4FSF6C)

I don’t know why my server supports client-initiated secure renegotiation.

Check Code:

openssl s_client -connect gjan.info:443 -msg -tls1_2

Result:

---
R
RENEGOTIATING
>>> ??? [length 0005]
    16 03 03 00 f6
>>> TLS 1.2, Handshake [length 00de], ClientHello
    01 00 00 da 03 03 cb bf ab b8 6f a1 31 14 2d fb
    ad 63 aa d2 15 c6 5d fc 8c 19 fc db 4c 7f 5b d8
    f1 f1 fd f3 29 fa 00 00 36 c0 2c c0 30 00 9f cc
    a9 cc a8 cc aa c0 2b c0 2f 00 9e c0 24 c0 28 00
    6b c0 23 c0 27 00 67 c0 0a c0 14 00 39 c0 09 c0
    13 00 33 00 9d 00 9c 00 3d 00 3c 00 35 00 2f 01
    00 00 7b ff 01 00 0d 0c 1b a5 84 2c 92 28 da 6e
    0c 84 5f c4 00 00 00 0e 00 0c 00 00 09 67 6a 61
    6e 2e 69 6e 66 6f 00 0b 00 04 03 00 01 02 00 0a
    00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23
    00 00 00 16 00 00 00 17 00 00 00 0d 00 30 00 2e
    04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b
    08 04 08 05 08 06 04 01 05 01 06 01 03 03 02 03
    03 01 02 01 03 02 02 02 04 02 05 02 06 02
<<< ??? [length 0005]
    15 03 03 00 1a
<<< TLS 1.2, Alert [length 0002], warning no_renegotiation
    01 64
>>> ??? [length 0005]
    15 03 03 00 1a
>>> TLS 1.2, Alert [length 0002], fatal handshake_failure
    02 28
547636304368:error:14094153:SSL routines:ssl3_read_bytes:no renegotiation:../ssl/record/rec_layer_s3.c:1560:

Is just ImmuniWeb error or really my web server supported? If supported how can I disable?

Tags:

2

Answers


  1. 0

    It’s just immuniweb. Qualys/ssllabs correctly shows

    Secure Renegotiation    Supported
Secure Client-Initiated Renegotiation   No
Insecure Client-Initiated Renegotiation     No

    The first means the RFC5746 negotiation during handshake works; the second and third mean actual renegotiation initiated by the client fails.

    PS: this isn’t really a programming question or problem, but as long as others haven’t voted to close I won’t bother.

    Login or Signup to reply.
  2. 0

    It might not be possible to use a setting in nginx to solve this security issue. However, you might refer nginx developers to this answer so they can make proper changes in their codebase. This is NOT just immuniweb as the other answer indicates.

    The SSL_OP_NO_RENEGOTIATION option were added in OpenSSL 1.1.1. To make immuniweb give you the same score as we have (A+) you need to set SSL_OP_NO_RENEGOTIATION in order to disable all renegotiation in TLSv1.2 and earlier. This needs to be set where the SSL_CTX is created. You might also need to make additional changes in order to get the wanted scoring.

    SSL_CTX *ssl_ctx = SSL_CTX_new(TLS_method());
...
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_RENEGOTIATION);

    Source: SSL_CTX_set_options man 1.1.1

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search