Forum Discussion

GavinW_29074's avatar
GavinW_29074
Icon for Nimbostratus rankNimbostratus
May 24, 2012

SSL Renegotiation on PEN Test???

Hi there     We're currently getting some of our sites which are served through our F5's pen tested...     Our F5's are currently running v11.1.0 HF2.     The PEN test report has f...
security
jwham20's avatar
jwham20
Icon for Nimbostratus rankNimbostratus
May 24, 2012
Gavin,

 

 

Looking at a capture from an 11.1.0 system, it would appear the SSL handshake has the correct flags set:

 

 

ClientHello is received, the server MUST check

 

-if it includes the TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV.

 

If it does, set the secure_renegotiation flag to TRUE.

 

 

-if the "renegotiation_info" extension is included in the ClientHello.

 

If the extension is present, set secure_renegotiation flag to TRUE.

 

 

The server MUST then verify that the length of the "renegotiated_connection" field is zero, and if it is not, MUST abort the handshake.

 

 

----------

 

If the secure_renegotiation flag is set to TRUE, the server MUST include an empty "renegotiation_info" extension in the ServerHello

 

message.

 

 

I am wondering if there is a lack of maturity in the tool that was used to test.

 

 

-Joshm