Test tomcat for ssl renegotiation vulnerability

Posted by Jim on Server Fault See other posts from Server Fault or by Jim
Published on 2012-11-27T10:01:30Z Indexed on 2012/11/27 11:06 UTC
Read the original article Hit count: 282

Filed under:
|
|
|

How can I test if my server is vulnerable for SSL renegotiation?
I tried the following (using OpenSSL 0.9.8j-fips 07 Jan 2009:

openssl s_client -connect 10.2.10.54:443

I see it connects, it brings the certificate chain, it shows the server certificate, and last:

SSL handshake has read 2275 bytes and written 465 bytes  
---  
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA  
Server public key is 1024 bit  
Secure Renegotiation IS supported  
Compression: NONE  
Expansion: NONE  
SSL-Session:  
    Protocol  : TLSv1  
    Cipher    : DHE-RSA-AES256-SHA  
    Session-ID: 50B4839724D2A1E7C515EB056FF4C0E57211B1D35253412053534C4A20202020  
    Session-ID-ctx:   
    Master-Key: 7BC673D771D05599272E120D66477D44A2AF4CC83490CB3FDDCF62CB3FE67ECD051D6A3E9F143AE7C1BA39D0BF3510D4  
    Key-Arg   : None  
    Start Time: 1354008417  
    Timeout   : 300 (sec)  
    Verify return code: 21 (unable to verify the first certificate)  

What does Secure Renegotiation IS supported mean? That SSL renegotiation is allowed?
Then I did but did not get an exception or get the certificate again:

verify error:num=20:unable to get local issuer certificate  
verify return:1  

verify error:num=27:certificate not trusted  
verify return:1  

verify error:num=21:unable to verify the first certificate  
verify return:1  

HTTP/1.1 200 OK  
Server: Apache-Coyote/1.1  
Content-Type: text/html;charset=ISO-8859-1  
Content-Length: 174  
Date: Tue, 27 Nov 2012 09:13:14 GMT  
Connection: close  

So is the server vulnerable to SSL renegotiation or not?

© Server Fault or respective owner

Related posts about ssl

Related posts about tomcat