Repeated renegotiation of TLS / SSL connections

Hello:

OS: CentOS Linux 5.9 - Linux 2.6.18-348.3.1.el5 on x86_64

Virtualmin version 3.99.gpl GPL

All Virtualmin packages are up to date.

I received a PCI scan fail due to “The remote service allows repeated renegotiation of TLS / SSL
connections.”

Description :The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not appear to limit the number of renegotiations for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition.

See also :

http://orchilles.com/2011/03/ssl-renegotiation-dos.html

http://www.ietf.org/mail-archive/web/tls/current/msg07553.html

Solution : Contact the vendor for specific patch information.

===============

Anyone have a fix for this?

Thanks,
BIll56

Howdy,

Which service caused the failure you’re seeing?

Also, just to verify – are you saying that if you run “yum update”, that there’s no additional updates to process?

-Eric

Hi Eric:

yum update: No Packages marked for Update

Application: pop3
Port: 110
Protocol: tcp
VATID: 53491
Synopsis :
The remote service allows repeated renegotiation of TLS / SSL connections.

Thanks,
Bill

I was seeing the failure on POP3, so I disabled this and re-ran the PCI scan.
Now I get the same fail on IMAP:

Application: imap
Port: 143
Protocol: tcp
VATID: 53491
Synopsis :
The remote service allows repeated renegotiation of TLS / SSL
connections.
Description :
The remote service encrypts traffic using TLS / SSL and permits
clients to renegotiate connections. The computational requirements
for renegotiating a connection are asymmetrical between the client and
the server, with the server performing several times more work. Since
the remote host does not appear to limit the number of renegotiations
for a single TLS / SSL connection, this permits a client to open
several simultaneous connections and repeatedly renegotiate them,
possibly leading to a denial of service condition.
See also :
http://orchilles.com/2011/03/ssl-renegotiation-dos.html
http://www.ietf.org/mail-archive/web/tls/current/msg07553.html
Solution :
Contact the vendor for specific patch information.
CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 3.9
(CVSS2#E:POC/RL:U/RC:C)
Public Exploit Available : true
Plugin output :
The remote host is vulnerable to renegotiation DoS over TLSv1 / SSLv3.
CVE : CVE-2011-1473
BID : 48626

Any ideas how to fix this?

Thanks,
Bill