(Really) Testing for SSL/TLS Re-negotiation

SSL/TLS Re-negotiation vulnerability (CVE-2009-3555) allows a man-in-the-middle to insert plain text in the beginning of an encrypted stream. It used to be possible to check if the server supports re-negotiation using OpenSSL s_client (see here). However, recent versions of OpenSSL disable insecure re-negotiation completely, so if you run s_client against a vulnerable target and request re-negotiation, it exits, same as if the target does not support re-negotiation:

GET / HTTP/1.1
R
RENEGOTIATING
4020:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

Ssltlstest, developed by Leviathan Security appears to reliably detect insecure SSL/TLS renegotiation:

alla@shiny2:~$ ./ssltlstest secure.example.com 443
Connected! Initiating client-renegotiation test...

WARNING!: Server appears to have client initiated renegotiation enabled!

TARGET IS VULNERABLE.

To compile ssltlstest on Linux do:

g++ -lssl -o ssltlstest ssltlstest.cpp

Comments