« Clientless SSL VPN products break the Web | Main | How to render SSL useless »

December 15, 2009

Testing for SSL renegotiation

Someone asked me how to test for SSL connection renegotiation, so I thought I would also write here for the benefit of everyone. Testing is easy provided you have access to an un-patched version of OpenSSL. To test, you will use the s_client tool (you'll type the bits in blue):

$ openssl s_client -connect www.ssllabs.com:443
[snip... a lot of openssl output]
---
HEAD / HTTP/1.0
R
RENEGOTIATING
28874:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

The idea is that you connect to an SSL server and start by typing the first line of a request. You then type a single uppercase letter R on a single line, which tells OpenSSL to ask for renegotiation. I am aware of the following outcomes:

  • Your HTTP request completes, which means that renegotiation is enabled
  • You get an error (one such possible error is shown in the example above), which means that renegotiation did not work
  • The connection blocks and timeouts after a while, which is how OpenSSL 0.9.8l deals with renegotiation.
Of course, a SSL Labs report will tell you whether a particular server supports renegotiation.

Posted by Ivan Ristić at 13:02:03 in SSL

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e54fd889f288340120a7536899970b

Listed below are links to weblogs that reference Testing for SSL renegotiation:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

But isn't one of the proposed fixes, in addition to disabling renegotiation, to cryptographically couple the renegotiated session to the original session? In which case, the above test would result in a false positive?

Posted by: Keith Royster | February 24, 2010 at 03:31 PM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

MY WORK

ModSecurity Handbook is the guide to the world's most popular web application firewall.
SSL Labs offers a comprehensive SSL security assessment consisting of 250+ checks. To start, enter your domain name below (it's free):

ABOUT ME

Ivan Ristić is an open source advocate, entrepreneur, writer, programmer and web security specialist. He is the principal author of ModSecurity, the open source web application firewall, and the author of Apache Security, a concise yet comprehensive web security guide for the Apache web server.   [LinkedIn Profile]

My Photo

TWITTER

@ivanristic

    Categories

    Archives

    FEEDS