Opened 23 months ago

Closed 23 months ago

Last modified 23 months ago

#1648 closed defect (worksforme)

Nginx compiled with Openssl 1.1.1 allow renegotiation

Reported by: delagen@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.15.x
Keywords: Cc:
uname -a: Linux hostname 3.10.0-862.11.6.el7.x86_64 #1 SMP Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.15.5 (CentOS)
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/local/sbin/nginx --modules-path=/usr/local/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --build=CentOS --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-pcre --with-pcre-jit --with-openssl=../../openssl/openssl-1.1.1 --add-module=../ngx-fancyindex --add-dynamic-module=../nginx-dav-ext-module --add-dynamic-module=../njs/nginx

Description

Tested 1.15.5 with testssl.sh

`

Secure Renegotiation (CVE-2009-3555) VULNERABLE (NOT ok)
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat

`

Patch available here https://github.com/centminmod/centminmod/commit/7800602a574be68043b44afe8d81aed47119374e

Change History (4)

comment:1 by delagen@…, 23 months ago

After patch the same ((

comment:2 by delagen@…, 23 months ago

Seems like testssl.sh incompatible with openssl 1.1.1

comment:3 by Sergey Kandaurov, 23 months ago

Resolution: worksforme
Status: newclosed

Works for me on the latest testssl.sh from testssl.sh

 Negotiated protocol          TLSv1.2
...
 Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)

comment:4 by delagen@…, 23 months ago

Yes. I updated testssl.sh and it works.

Note: See TracTickets for help on using tickets.