Frequently Asked Questions related to SSL Renegotiation Denial of Service
Q. What is the difference between SSL and TLS?
A. SSL and TLS is the same thing. For trademark reasons when SSL became an open standard it had to change its name from SSL to TLS. TLS 1.0 is essentially SSL 3.1 – it even claims to be version “3.1” in its communication. I’ll refer to it as SSL from here to remind you that it’s a problem with SSL and TLS.
Q. Most people think about HTTPS when talking about SSL – is this limited to HTTPS?
A. No, this isn’t an HTTPS-only attack, although it is true that most exposure to SSL is through HTTPS. There are many other protocols that use SSL to protect their connections and traffic, and they each may be vulnerable in their own special ways. Here are some other protocols and devices that use SSL: SSL-VPNs, Load Balancers, FTPS, POP3S, Secure IRC
Q. I’ve seen some posts saying that SSH and SFTP are not vulnerable – how did they manage that?
A. Simply by “not being SSL”. SFTP is a protocol on top of SSH, and SSH is not related to SSL. That’s why it’s not affected by this issue. Of course, if there’s a vulnerability discovered in SSH, it’ll affect SSH and SFTP, but won’t affect SSL or SSL-based protocols such as HTTPS and FTPS.
Q. Is it OK to disable SSL renegotiation to fix this issue?
A. It depends. There are a few scenarios that require SSL renegotiation. If SSL didn’t need renegotiation at all, it wouldn’t be there. In some cases, if you disable SSL renegotiation, you may be killing functionality. There are a few reasons that you might be using SSL renegotiation:
- Client side certificates or authentication, because that’s how client authentication works – while you can do client authentication without renegotiation, most HTTPS implementations use renegotiation to request the client certificate. Disabling renegotiation will generally prevent most clients from authenticating with client authentication.
- After 10 hours renegotiation is required to refresh the session key and provide perfect forward secrecy. Do you have SSL connections lasting 10 hours? You probably should be looking at some disconnect/reconnect scenario instead. SSL-VPNs should come to mind.
- In some cases you can’t disable SSL renegotiation. In OpenSSL, you can only disable renegotiation if you download and install 0.9.8l, and in other SSL implementations, there is no way to disable renegotiation outside of modifying the application.
Q. Is the solution to disable client initiated renegotiations, server initiated renegotiations, or both?
A. Disabling client initiated renegotiations on the server seems to be the best solution for this issue. Server initiated renegotiations do not play a role in server denial of service.
Q. Is this really the most important vulnerability we face right now?
A. No, but if availability is a requirement for you then you may want to address this.
Q. Can we apply the solution today?
A. Speak with your vendors and hosting team. For most cases, you should be able to disable renegotiation to solve this issue. Other cases, which require renegotiation, may need to find another solution. IDS and IPS vendors already have signatures to detect multiple renegotiations per second. Anti-DOS and DOS mitigation vendors also have signatures and methods of mitigating this attack.