The MITRE CVE dictionary describes this issue as:
** DISPUTED ** OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.
Besides this being a questionable CVE, the version you are using went EOS a long time ago unless you have an extended contract.
Regards
Mark Hack
Hi
Our product is using OpenSSL 1.0.2 , one of the vulnerability scan tool reported vulnerability : CVE-2011-1473.
Vulnerability description:
Opensl doesn't properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection.
Only solution available for this vulnerability, is to disable renegotiation using SSL_OP_NO_RENEGOTIATION option. But this option is not available in the OpenSSL 1.0.2 version.
Any suggestions, how to fix this vulnerability in OpenSSL 1.0.2 version.
Regards
Manish
