Hello Openssl-dev team, Currently am checking whether Renegotiation is enabled in openssl 0.9.8q version. If enabled, would like to disable this. As per release note, i see
*Changes between 0.9.8k and 0.9.8l [5 Nov 2009]* *) Disable renegotiation completely - this fixes a severe security problem (CVE-2009-3555) at the cost of breaking all renegotiation. Renegotiation can be re-enabled by setting SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at run-time. This is really not recommended unless you know what you're doing. [Ben Laurie] Renegotiation is completely removed from 0.9.8k version onwards. Currenlty we are using openssl0.9.8q version. But, when i tried to perform Renegotiation, OPENSSL SERVER is accepting Renegotiation. openssl s_client -connect 10.104.105.36:443 -ssl3 CONNECTED(00000003) New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 512 bit*Secure Renegotiation IS supported* SSL-Session: Protocol : SSLv3 Cipher : DES-CBC3-SHA Session-ID: 1C9FF53981EDECD2B45E9DB8BD6C776286F1EBA8F8DED95A877081C93B673658 Session-ID-ctx: Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- R RENEGOTIATING Renegotiation is successful. On server side, i printed the values from s3_pkt.c file in this portion of code : if (s->server && SSL_is_init_finished(s) && !s->s3->send_connection_binding && (*s->version > SSL3_VERSION*) && (s->s3->handshake_fragment_len >= 4) && (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) && (s->session != NULL) && (s->session->cipher != NULL) && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { buginf("\n RENEGOTATION CANT BE DONE \n"); /*s->s3->handshake_fragment_len = 0;*/ rr->length = 0; ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); goto start; } else { buginf("\n Rajeswari entered in to else condition for client hello. \n" Debugs : Rajeswari entered in to else condition for client hello. s->server : 1 SSL_is_init_finished(s) : 1 s->s3->send_connection_binding :1 s->version : 768 SSL3_VERSION : 768 s->s3->handshake_fragment_len : 4 s->s3->handshake_fragment[0] : 1 SSL3_MT_CLIENT_HELLO : 1 s->ctx->options : 4000004 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION : 40000 I would like to understand does Renegotiation is not disabled for SSL3 Version? I read something like, for SSL3, RENEGOTIATION should return a failure and for TLSV1, RENEGOTIATION should return a warning. Please correct me if am wrong and also please provide your inputs how to disable RENEGOTIATION for current session. Thanks & Regards, Rajeswari.