Forum Discussion
Kevin_Stewart
May 23, 2014Employee
It may be worth asking why SSL renegotiation is such a bad thing. The initial handshake of an SSL/TLS dialog is used to generate a session encryption key. The longer that key is used the easier it becomes to attack it, so semi-frequent renegotiations are actually a good idea. Now, there is an issue with regular SSL renegotiation, detailed in CVE-2009-3555, that would allow an attacker to insert data into an existing session. This vulnerability has been addressed with RFC 5746, and "secure renegotiation" is a native function of the F5 BIG-IP. I would certainly question whether or not the finding is specific to all SSL renegotiation, or just (insecure) pre-5746 SSL renegotiation.