The vulnerability scan performed by our hosting provider came up with this. The remote service allows renegotiation of TLS / SSL connections.
Risk: Medium TCP Port:443 The remote service encrypts traffic using TLS / SSL but allows a client to renegotiate the connection after the initial handshake. An unauthenticated remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintext into the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the service assumes that the sessions before and after renegotiation are from the same 'client' and merges them at the application layer. I have looked around and read some and this is the best info I can find http://www.kb.cert.org/vuls/id/120541 The vulnerability report and that page say "Contact vendor for specific patch information". Vendor for what? There is a vendor list at that link, but hell, we do business with several of those guys. Anyone else come across this? -- You received this message because you are subscribed to the "Houston ColdFusion Users' Group" discussion list. To unsubscribe, send email to [email protected] For more options, visit http://groups.google.com/group/houcfug?hl=en
