Disable SSL Renegotiations (SECURITY)

Version 1.45


Prevent SSL renegotiations after the SSL handshake has already completed. Addresses CVE-2009-3555. This will also help with PCI compliance. Forum thread: http://forum.directadmin.com/showthread.php?t=48255 You can test your instance of DA (must already be using SSL=1 in the directadmin.conf for this to have any point) openssl s_client -port 2222 -host Once connected, you'll see info about your certificate and connection, and most likely this: Secure Renegotiation IS supported Press shift-R, and press enter. You'll get one of two outputs: 1) This is what you don't want to see, as it mean post-handshake ssl renegotiation is allowed: R RENEGOTIATING depth=0 /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd verify error:num=18:self signed certificate verify return:1 depth=0 /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd verify return:1 closed 2) This is what you do want to see: R RENEGOTIATING 31686:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: You can change to any host you want, and even test Apache (port 443 instead of 2222). Also, seeing "Secure Renegotiation IS supported" is ok, as long as the renegotiation fails with the "R" command. A server/client connection is allowed to renegotiate as long as it's done before the handshake is completed. Basically, once the request comes in, or DA sends data out, no more negotiation should be done. As for the usefulness with DA... DA itself doesn't really need renegotiation as it does not support persistent connections. (pre-handshake aside)

Interested to try DirectAdmin? Get a 30-day Free Trial!