Altostratusbkhowson posted a nice article recently on getting the A+ rating for SSLLabs server test. Using this, I now have an A+ rating on the site.
There is one thing left bugging me though, it reports
"Secure Client-Initiated Renegotiation Supported DoS DANGER (more info)"
Is this actually a problem, and can someone suggest a way to fix it?
Employeecan you try to disable renegotiation?
e.g.
renegotiation is enabled (default)
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.24.10:443
ip-protocol tcp
mask 255.255.255.255
pool foo
profiles {
clientssl {
context clientside
}
tcp { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
vs-index 9
}
[root@centos1 ~] openssl s_client -connect 172.28.24.10:443
CONNECTED(00000003)
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify return:1
---
Certificate chain
0 s:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
i:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgICBYgwDQYJKoZIhvcNAQEFBQAwgZgxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTESMBAGA1UEChMJTXlDb21w
YW55MQswCQYDVQQLEwJJVDEeMBwGA1UEAxMVbG9jYWxob3N0LmxvY2FsZG9tYWlu
MSkwJwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0x
MzExMTcwODU2MzdaFw0yMzExMTUwODU2MzdaMIGYMQswCQYDVQQGEwJVUzELMAkG
A1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxEjAQBgNVBAoTCU15Q29tcGFueTEL
MAkGA1UECxMCSVQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcG
CSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLsBpv7ujDWm7N1sDVquV+a5gWGF2lz+1u
TXhhvEJMlEYlorCK4EKQDfGjQGhfiq00GRWB+pAethEjMinyopaFGmqvxg+eZYYK
9lF1rb3r6vP0oUymL1lWCwvu9V1GKEN2sXovfdSv3LVIPLGf8xfW3HnGdF3A8cYl
WQDWfkc7GjFI3mZ4GHUzMko5cs2N5oU2q2G3gE8nxdKYwy3VTzXWvM+Q6o+0/n2V
i8jPgReWx8JvY+ybq1mBOJZpyxbRN3ddvLmLR4IpCEUT0uALittt10ZQ4uUpbNdq
XMoX8L8ser9fLx1L3R4Gqo6/DRaBOYn8scfLpgG408yzP9l2hKpNAgMBAAEwDQYJ
KoZIhvcNAQEFBQADggEBAFvYeMufu/bAf2tnPZvtlT9TgXudi45l7hN3fqLdvEey
33i+Os2ZOLbzKLPKTQ3DT74MCNwOPkGgiM4SS4eN2B3VROeX1UDmUJR/MK3I1qZQ
yn0icotAQhyPKIK44VubarB9hT4u30ZBzBWq0nqec4M4RJGJbshIfWYnt+lJUzyG
s22ul1p4N47mBvzFaHOLK3CEJcRVLx99HiMKZ9OT+XIEDZYwqBU/nhovPt+lowly
9aMRzNBCdTXaCDtOYuHbllsog4bonSPY1vm7ta9F204mp2cUkowMKtfRGD7XmVeK
VfmAwb5c8bCTHozfvydcwmfdjiSoYq9aiuEDNMvrj/E=
-----END CERTIFICATE-----
subject=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
issuer=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
No client certificate CA names sent
---
SSL handshake has read 1113 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 457BB7CC171B4139E605CD1C37DF7A0F18B4E399A2581AC7F190A8740FC3DCF1
Session-ID-ctx:
Master-Key: CE63065E8426FA7BE9D632B319EFFE4D5EA884891466706E39264AB8A9AD98942216F4F025DE20580A19160FDB2A0086
Key-Arg : None
Krb5 Principal: None
Start Time: 1398746038
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
R
RENEGOTIATING
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify return:1
renegotiation is disabled
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.24.10:443
ip-protocol tcp
mask 255.255.255.255
pool foo
profiles {
myclientssl {
context clientside
}
tcp { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
vs-index 9
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
app-service none
cert-key-chain {
default {
cert default.crt
key default.key
}
}
defaults-from clientssl
inherit-certkeychain true
renegotiation disabled
}
[root@centos1 ~] openssl s_client -connect 172.28.24.10:443
CONNECTED(00000003)
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify return:1
---
Certificate chain
0 s:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
i:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgICBYgwDQYJKoZIhvcNAQEFBQAwgZgxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTESMBAGA1UEChMJTXlDb21w
YW55MQswCQYDVQQLEwJJVDEeMBwGA1UEAxMVbG9jYWxob3N0LmxvY2FsZG9tYWlu
MSkwJwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0x
MzExMTcwODU2MzdaFw0yMzExMTUwODU2MzdaMIGYMQswCQYDVQQGEwJVUzELMAkG
A1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxEjAQBgNVBAoTCU15Q29tcGFueTEL
MAkGA1UECxMCSVQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcG
CSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLsBpv7ujDWm7N1sDVquV+a5gWGF2lz+1u
TXhhvEJMlEYlorCK4EKQDfGjQGhfiq00GRWB+pAethEjMinyopaFGmqvxg+eZYYK
9lF1rb3r6vP0oUymL1lWCwvu9V1GKEN2sXovfdSv3LVIPLGf8xfW3HnGdF3A8cYl
WQDWfkc7GjFI3mZ4GHUzMko5cs2N5oU2q2G3gE8nxdKYwy3VTzXWvM+Q6o+0/n2V
i8jPgReWx8JvY+ybq1mBOJZpyxbRN3ddvLmLR4IpCEUT0uALittt10ZQ4uUpbNdq
XMoX8L8ser9fLx1L3R4Gqo6/DRaBOYn8scfLpgG408yzP9l2hKpNAgMBAAEwDQYJ
KoZIhvcNAQEFBQADggEBAFvYeMufu/bAf2tnPZvtlT9TgXudi45l7hN3fqLdvEey
33i+Os2ZOLbzKLPKTQ3DT74MCNwOPkGgiM4SS4eN2B3VROeX1UDmUJR/MK3I1qZQ
yn0icotAQhyPKIK44VubarB9hT4u30ZBzBWq0nqec4M4RJGJbshIfWYnt+lJUzyG
s22ul1p4N47mBvzFaHOLK3CEJcRVLx99HiMKZ9OT+XIEDZYwqBU/nhovPt+lowly
9aMRzNBCdTXaCDtOYuHbllsog4bonSPY1vm7ta9F204mp2cUkowMKtfRGD7XmVeK
VfmAwb5c8bCTHozfvydcwmfdjiSoYq9aiuEDNMvrj/E=
-----END CERTIFICATE-----
subject=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
issuer=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
No client certificate CA names sent
---
SSL handshake has read 1113 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 457BB7CC171B413AE605CD1C37DF7B0F93CF6BA1292392CFF190A8740FC3DCCE
Session-ID-ctx:
Master-Key: F62821AA6B19FFFC0960A2BD9DB155E285F450D93CB73FD6936D124E2FA938ADFABFDEBDC63CE3C11914B9966606B01D
Key-Arg : None
Krb5 Principal: None
Start Time: 1398746099
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
R
RENEGOTIATING
16040:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1086:SSL alert number 40
16040:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: