False Negative on "Secure Client-Initiated Renegotiation" supported (CVE-2011-1473)

book

Article ID: 168224

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Related article:
CVE-2011-1473
https://support.symantec.com/en_US/article.SYMSA1280.html

Related Website:
https://www.ssllabs.com

Customer using a reverse Proxy and found vulnerability "Secure Client-Initiated Renegotiation" supported when scanning from https://www.ssllabs.com.

Cause

This is false negative. Running scan in Qualys (www.ssllabs.com) is simply checks to see if the client renegotiation is enabled or not. If it is able to successfully renegotiate, it probably assumes that the DUT (Device Under Test) is vulnerable. 

Resolution

To clarify the behavior of SG, the first renegotiation works fine. During the second renegotiation attempts, the SG will drop the connection (after the ssl handshake is completed). There is only one connection and the renegotiation happens over the same connection. From the result, we can claim that the SG is not vulnerable based on the testing we have done. 

Workaround

This is false negative. SGOS 6.2.14.1 and above are not vulnerable. For other SGOS branches, please see from https://bto.bluecoat.com/security-advisory/sa74.