Client Initiated Renegotiation False Positive

[vbisbest]

I am getting false positives for client renegotiation. Example: `sslyze www.adidas.com --reneg

CHECKING CONNECTIVITY TO SERVER(S)

www.adidas.com:443 => 23.56.99.67

SCAN RESULTS FOR WWW.ADIDAS.COM:443 - 23.56.99.67

• Session Renegotiation: Client Renegotiation DoS Attack: VULNERABLE - Server honors client-initiated renegotiations Secure Renegotiation: OK - Supported

  SCANS COMPLETED IN 1.592417 S

  COMPLIANCE AGAINST MOZILLA TLS CONFIGURATION

  Disabled; use --mozilla_config={old, intermediate, modern}.`

Both SSL Labs and TestSSL script returns false. e.g. ` Testing for Renegotiation vulnerabilities

Secure Renegotiation (RFC 5746) OpenSSL handshake didn't succeed Secure Client-Initiated Renegotiation not vulnerable (OK)

Done 2024-02-06 12:04:35 [0021s] -->> 23.56.99.66:443 (www.adidas.com) <<-- `

[nabla-c0d3]

Hello,

I am not sure about the other tools but I am able to trigger a renegotiation using just the openssl s_client :

$ openssl s_client -tlsv12 -connect WWW.ADIDAS.COM:443
[...]
R
RENEGOTIATING
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = DE, ST = Bayern, L = Herzogenaurach, O = adidas AG, CN = www.adidas.com
verify return:1

This is what SSLyze tests for.