False Negative on "Secure Client-Initiated Renegotiation" supported (CVE-2011-1473)

Article Id: 168224

Status: Published

Updated On: 08-09-2018 13:40

Legacy Id: TECH244798

Products:

ProxySG Software - SGOS

Issue/Introduction:

Related article:
CVE-2011-1473
https://support.symantec.com/en_US/article.SYMSA1280.html

Related Website:
https://www.ssllabs.com

Customer using a reverse Proxy and found vulnerability "Secure Client-Initiated Renegotiation" supported when scanning from https://www.ssllabs.com.

Cause:

This is false negative. Running scan in Qualys (www.ssllabs.com) is simply checks to see if the client renegotiation is enabled or not. If it is able to successfully renegotiate, it probably assumes that the DUT (Device Under Test) is vulnerable.

Resolution:

To clarify the behavior of SG, the first renegotiation works fine. During the second renegotiation attempts, the SG will drop the connection (after the ssl handshake is completed). There is only one connection and the renegotiation happens over the same connection. From the result, we can claim that the SG is not vulnerable based on the testing we have done.

Workaround

This is false negative. SGOS 6.2.14.1 and above are not vulnerable. For other SGOS branches, please see from https://bto.bluecoat.com/security-advisory/sa74.