jonasgloning
commented
7 months ago From the Node TLS docs:
To mitigate the risk, renegotiation is limited to three times every ten minutes. An 'error' event is emitted on the tls.TLSSocket instance when this threshold is exceeded. The limits are configurable:
tls.CLIENT_RENEG_LIMIT
Specifies the number of renegotiation requests. Default: 3. tls.CLIENT_RENEG_WINDOW Specifies the time renegotiation window in seconds. Default: 600 (10 minutes). The default renegotiation limits should not be modified without a full understanding of the implications and risks. TLSv1.3 does not support renegotiation.
As far as I understand: although your scanning tool detects the potential for renegotiation, NodeJS constraints render it ineffective for a DoS attack under the default settings.
You can prevent renegotiation by setting tls.CLIENT_RENEG_LIMIT to 0.
tangzhiqiangh
I'm having an issue:
[2023 Pen-Testing]
Description The server allows the connecting client to initiate SSL renegotiation. SSL renegotiation describes the process of the client and server renewing their consensus on which specific operating mode (including cipher suite etc.) they will use to communicate with each other securely. This process is much more computationally expensive for the server than the client, however, which means that if the client makes a large number of renegotiation requests, they may be able to cause the server to enter a denial-of-service (DoS) condition. This is known an SSL renegotiation attack, and can result in your web application becoming inaccessible to legitimate visitors. For this reason, only the server should be able to initiate SSL renegotiation.
Recommendation Disable client-initiated SSL renegotiation on your server if possible.
2023 Pen-Testing Report
nodejs and peerServer versions and program running
Is there any way to disable SSL renegotiation on Ubuntu 20.04?