Closed vbisbest closed 4 months ago
Hello,
I am not sure about the other tools but I am able to trigger a renegotiation using just the openssl s_client
:
$ openssl s_client -tlsv12 -connect WWW.ADIDAS.COM:443
[...]
R
RENEGOTIATING
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = DE, ST = Bayern, L = Herzogenaurach, O = adidas AG, CN = www.adidas.com
verify return:1
This is what SSLyze tests for.
I am getting false positives for client renegotiation. Example: `sslyze www.adidas.com --reneg
CHECKING CONNECTIVITY TO SERVER(S)
www.adidas.com:443 => 23.56.99.67
SCAN RESULTS FOR WWW.ADIDAS.COM:443 - 23.56.99.67
Session Renegotiation: Client Renegotiation DoS Attack: VULNERABLE - Server honors client-initiated renegotiations Secure Renegotiation: OK - Supported
SCANS COMPLETED IN 1.592417 S
COMPLIANCE AGAINST MOZILLA TLS CONFIGURATION
Disabled; use --mozilla_config={old, intermediate, modern}.`
Both SSL Labs and TestSSL script returns false. e.g. ` Testing for Renegotiation vulnerabilities
Secure Renegotiation (RFC 5746) OpenSSL handshake didn't succeed Secure Client-Initiated Renegotiation not vulnerable (OK)
Done 2024-02-06 12:04:35 [0021s] -->> 23.56.99.66:443 (www.adidas.com) <<-- `![Screenshot 2024-02-06 at 12 05 44 PM](https://github.com/nabla-c0d3/sslyze/assets/3143293/b009ad13-da21-4a2c-bc54-f21608b147fe)