Hi,
I am currently working on getting a server with CentOS 5.11 through PCI certification.
I get : TLS Protocol Session Renegotiation Security Vulnerability
I don’t know what to do about it and it only effects the webmin/virtualmin login (usermin port is closed). All SSL settings are set as in https://www.virtualmin.com/documentation/security/pci recommended. I have checked on redhat and here is what they say : https://access.redhat.com/articles/20490 which does not help much as there seems to be no solution available right now. As additional info, we are using two factor authentication on top of a SSL connection.
Any hints on what to do?
Here the scan report:
THREAT REFERENCE
Summary:
TLS Protocol Session Renegotiation Security Vulnerability
Risk: High (3)
Port: 47110/tcp
Protocol: tcp
Threat ID: misc_opensslrenegotiation
Details: Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability
06/11/12
CVE 2009-3555
Multiple vendors TLS protocol implementations are prone to a security vulnerability related to the session-renegotiation process which allows man-in-the-middle attackers to insert data into HTTPS sessions,
and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context.
Information From Target:
Service: 47110:TCP
Session Renegotiation succeeded on 47110:TCP and secure renegotiation did not succeed