On 28/10/2021 14:16, Felipe Gasper wrote:
On Oct 28, 2021, at 03:52, Matt Caswell <m...@openssl.org> wrote:
On 27/10/2021 18:53, Felipe Gasper wrote:
Support for secure renegotiation is a “good thing”, right? That being
the case, why would the newer OpenSSL version report no support for it while
the older one supports it?
Probably TLSv1.3 is being negotiated with the newer version. In TLSv1.3 secure
renegotiation is not supported because it is irrelevant. TLSv1.3 doesn't do
renegotiation at all.
Ahh, thank you. That makes sense.
Would a patch that updates s_client’s verbiage be accepted?
Potentially into master, yes. Not into 3.0 or 1.1.1.
It seems like, when TLS 1.3 is in play, the note about secure
renegotiation should either be omitted or altered to mention that
renegotiation support is a non-issue for this TLS version.
It also seems like the SECURE RENEGOTIATION section of OpenSSL’s docs could use
a bit of update to mention that it’s only relevant for 1.2 and prior?
Fixes for the docs are always welcome - even for 3.0 and 1.1.1.
Related: apparently some security-scanning tools flag any client renegotiation
support as a potential vulnerability. Apparently about 10 years back it came
out that renegotiations were more expensive on the server than on the client,
as a result of which it was possible for a client to run a denial-of-service
attack by issuing renegotiation requests over and over. Is this still an issue,
or is it something that newer OpenSSLs effectively mitigate?
Over the years there have been various problems related to
renegotiation. From OpenSSL 3.0 client initiated reneg is disabled by
default on the server. Note that this is different to whether the server
claims support for "SECURE RENEGOTIATION". The server will still
negotiate the secure renegotiation feature, but will reject attempts by
the client to actually initiate reneg.
Matt
