TLS Renegotiation

[Vorazzo Manuela <manuela.vorazzo@xxxxxxxxx>]

Hello everyone.

I’ve an apache 2.2.11 up and running in a linux suse 10 environment and openssl 0.9.6.g version.

 

After a network scan they’ve found that I have to disable TLS Renegotiation support in my server.

I’ve seen that I can do this with SSLInsecureRenegotiation off directive in my configuration file but this is available with apache 2.2.15.

I found this on the web:

*) SECURITY: CVE-2009-3555 (cve.mitre.org)

     mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection

     attack when compiled against OpenSSL version 0.9.8m or later. Introduces

     the 'SSLInsecureRenegotiation' directive to reopen this vulnerability

     and offer unsafe legacy renegotiation with clients which do not yet

     support the new secure renegotiation protocol, RFC 5746.

     [Joe Orton, and with thanks to the OpenSSL Team]

 

Is there some workaround to do this without upgrade my apache version???

I mean some mod_ssl configuration directives that I can set for bypass the problem/vulnerability???

 

 

Thanks in advance.

Greetings

 

Vorazzo Manuela

*******************Internet Email Confidentiality Footer******************* 
Qualsiasi utilizzo non autorizzato del presente messaggio nonché dei suoi allegati Ã¨ vietato e potrebbe costituire reato. Se ha ricevuto per errore il presente messaggio, Le saremmo grati se ci inviasse, via e-mail, una comunicazione al riguardo e provvedesse nel contempo alla distruzione del messaggio stesso e dei suoi eventuali allegati. Le dichiarazioni contenute nel presente messaggio nonche' nei suoi eventuali allegati devono essere attribuite al mittente e non possono essere necessariamente considerate come autorizzate da SIA-SSB S.p.A.; le medesime dichiarazioni non impegnano SIA-SSB S.p.A. nei confronti del destinatario o di terzi. SIA-SSB S.p.A. non si assume alcuna responsabilita' per eventuali intercettazioni, modifiche o danneggiamenti del presente messaggio e-mail. 
Any unauthorized use of this e-mail or any of its attachments is prohibited and could constitute an offence. If you are not the intended addressee please advise immediately the sender by using the reply facility in your e-mail software and destroy the message and its attachments. The statements and opinions expressed in this e-mail message are those of the author of the message and do not necessarily represent those of SIA-SSB S.p.A. Besides, The contents of this message shall be understood as neither given nor endorsed by SIA-SSB S.p.A.. SIA-SSB S.p.A. does not accept liability for corruption, interception or amendment, if any, or the consequences thereof.