search for: renegotiation

Hello. I've just tested my system that runs dovecot 2.3.4.1 on debian buster with testssl.sh (https://testssl.sh/) and is says: Secure Renegotiation (CVE-2009-3555) not vulnerable (OK) Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), potential DoS threat Is this a configuration or a compilation issue and how to solve it? -- sergio.

hai, As far as i know, no. Unless you are forceing all clients to use SSLv2 only (since that doesn't support renegotiation). Are you sure you want to disable it and not just prevent old clients from using the vulnerable renegotiation methods? If it's the last you'll need to upgrade to 2.8+ to get access to tls_disable_workarounds. you have 2 problems. - One is the vulnerable methods - the other is renegot...

..., 2016 at 12:30 PM, Osiris <dovecot at flut.demon.nl> wrote: > On 09-03-16 13:14, djk wrote: >> On 09/03/16 10:44, Florent B wrote: >>> Hi, >>> >>> I don't see any SSL configuration option in Dovecot to disable >>> "Client-initiated secure renegotiation". >>> >>> It is advised to disable it as it can cause DDoS (CVE-2011-1473). >>> >>> Is it possible to have this possibility through an SSL option or other ? >>> >>> Thank you. >>> >>> Florent >> ssl_protocols = !SSLv...

On 09/03/16 10:44, Florent B wrote: > Hi, > > I don't see any SSL configuration option in Dovecot to disable > "Client-initiated secure renegotiation". > > It is advised to disable it as it can cause DDoS (CVE-2011-1473). > > Is it possible to have this possibility through an SSL option or other ? > > Thank you. > > Florent ssl_protocols = !SSLv3 !SSLv2 Is that enough?

<div style="font:14px/1.5 'Lucida Grande', '微软雅黑';color:#333;"><p style="line-height: 1.5; margin: 0px; font-family: 'Lucida Grande', 'Lucida Sans Unicode', sans-serif !important;">Hi All,</p><p style="line-height: 1.5; margin: 0px; font-family: 'Lucida Grande', 'Lucida Sans Unicode', sans-serif

...t Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2322 bytes and written 392 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) When I tried to connect with command line: openssl s_client -showcerts -no_tls1_3 -connect server:993 No client certificate CA names sent P...

Using Asterisk-1.4.17, Zaptel-1.4.8, libpri-1.4.3 Upgraded this morning, now PRI channels are unstable as hell. After about 5 minutes all asterisk commands on the console refuse to respond, attached is the debug log right before and after the "lock-up", IT occurred between 9:18 and 9:20 AM at 9:20 I restarted asterisk. Box is debian w/ asterisk built from scratch. My setup is

Hi, This is just a quick note to state that the recently reported SSL/TLS MITM attack[1] *does not* affect SSH. Like SSL/TLS, SSH supports key and parameter renegotiation, but it is not vulnerable because a session identifier is carried over from the first key exchange into all subsequent key exchanges. Technical details: In SSL, key exchanges and subsequent renegotiations are completely independent. This allows an attack as follows: a MITM intercepts a connection...

Hi all, i read about the TLS-RENEGOTIATION vulnerability: http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html http://www.sslshopper.com/article-ssl-and-tls-renegotiation-vulnerability-discovered.html www.phonefactor.com/sslgapdocs/Renegotiating_TLS.pdf Does the Asterisk 1.6/1.8 SIP/TLS implementation suffer from t...

...> write:errno=0 >> --- >> no peer certificate available >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 309 bytes and written 202 bytes >> Verification: OK >> --- >> New, (NONE), Cipher is (NONE) >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> No ALPN negotiated >> SSL-Session: >> ??? Protocol? : TLSv1.2 >> ??? Cipher??? : 0000 >> ??? Session-ID: >> ??? Session-ID-ctx: >> ??? Master-Key: >> ??? PSK identity: None >&g...

...and the packets sent to clients are never fragmented. As the result - for the clients some part of the web becomes inaccessible. Manual tunnel down/up fixes the problem immediately since (probably - I didn't compare them) new lower MTU is chosen. I am wondering if it is possible to make MTU renegotiation to be automatic? Please advice, Dorian

...r is generated with an EC private key and the [ no shared cipher ] error: CONNECTED(00000003) write:errno=0 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 309 bytes and written 202 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: ??? Protocol? : TLSv1.2 ??? Cipher??? : 0000 ??? Session-ID: ??? Session-ID-ctx: ??? Master-Key: ??? PSK identity: None ??? PSK identity hint: None ??? SRP username: None ??? Start Time: 1532969474 ??? Timeout?? : 72...

This patch exports a new virtio core function: virtio_block_feature. The function should be called during a virtio driver probe. If a virtio driver blocks features during probe and fails probe, virtio core will reset the device, try to re-negotiate the new features and probe again. Signed-off-by: Alvaro Karsz <alvaro.karsz at solid-run.com> --- drivers/virtio/virtio.c | 73

Dear colleagues, experimenting with new amd64-based router we found strange re(4) behaviour when working in autoselect media mode: whenever promisc mode turned on, renegotiating occurs, leading to 3 to 45 (depending on STP settings on the switch) network unavailability. Moreover, some other re(4) setting changes seem to disturb link state unneededly (such as ifconfig re0 -vlanhwtag) The most

Hi Keir: [NET] front: Fix features on resume when csum is off When the netfront driver is resumed the features are renegotiated with the backend. However, I forgot take into account the status of the TX checksum setting. When TX checksum is disabled by the user, we cannot enable SG or TSO since both require checksum offload. This patch makes xennet check the checksum setting before

Hello, I was reading about secure Dialect negotiation to prevent man-in-middle to downgrade dialects & capabilities. _https://blogs.msdn.microsoft.com/openspecification/2012/06/28/smb3-secure-dialect-negotiation/_ I wanted to ask, is there any option to disable SMB2 to do dialect renegotiation as present in Windows8 clients, as they can control using RequireSecureNegotiate. -- Thanks Amit Kumar !!If you stumble, get back up. What happened yesterday, no longer matters. Today is another day to move closer to your GOAL!!

On Sun, Apr 30, 2023 at 04:15:16PM +0300, Alvaro Karsz wrote: > This patch exports a new virtio core function: virtio_block_feature. > The function should be called during a virtio driver probe. > > If a virtio driver blocks features during probe and fails probe, virtio > core will reset the device, try to re-negotiate the new features and > probe again. > >

Hi all I have an ADSL modem which reboots when there is a power cut and the inverter (UPS) kicks in. Internet access is down for a duration of 1 to 2 minutes while the modem boots. I have many SSH tunnels and shells active. Due to the default "TCPKeepAlive On" setting, these sessions are terminated almost immediately. I tried the following configuration: sshd_config on server:

...>> no peer certificate available >>> --- >>> No client certificate CA names sent >>> --- >>> SSL handshake has read 309 bytes and written 202 bytes >>> Verification: OK >>> --- >>> New, (NONE), Cipher is (NONE) >>> Secure Renegotiation IS NOT supported >>> Compression: NONE >>> Expansion: NONE >>> No ALPN negotiated >>> SSL-Session: >>> ??? Protocol? : TLSv1.2 >>> ??? Cipher??? : 0000 >>> ??? Session-ID: >>> ??? Session-ID-ctx: >>> ??? Master-Key: &g...

One of our clients has a Draytek Vigor 2920- their natted Snom phones behind it are registered to an Asterisk 1.4 server on an external public IP. I've set QOS, bandwidth management and turned off the SIP ALG via telnet but I'm still having some problems with some of the phones losing registration if Asterisk is restarted. I can see the phones sending SIP REGISTER messages, but they