« Breaking SSL: Why leave to others what you can do yourself | Main | Qualys acquires SSL Labs »

Secure renegotiation test added to SSL Labs

May 25, 2010

When the SSL and TLS authentication gap problem was initially discovered (in November 2009), there wasn't much anyone could do about the vulnerability. You could disable renegotiation altogether, which only worked if your site did not depend on the feature. Thus my initial test focused on testing whether renegotiation was allowed.

A couple of months ago, in February, the TLS Working Group published RFC 5746, Transport Layer Security (TLS) Renegotiation Indication Extension, to address the authentication gap. The RFC adds a secure renegotiation mechanism to both SSL and TLS. With a couple of parties supporting the RFC now (you can follow the status of the various patches and updates at this page at PhoneFactor), I thought it would be a good time to update my SSL Labs code so that the tests accurately report server configuration.

SSL Labs will now not only correctly discover if secure renegotiation is supported, but it will give a nice green cheer every time it sees it on a site.

Special offer: 25% off ModSecurity Handbook until May 31st. Enter discount code MSHBIRY671XHL1V at checkout.