Client Initiated Secure Renegotiation and DoS Attacks

I recently had a web service application penetration tested by a 3rd party company and one of the issues raised was that the web service allowed: “Client Initiated Secure Renegotiation”

This means that the web service is susceptible to denial of service attacks because the client could (maliciously) repeatedly request a secure renegotiation which requires a lot of processing resource at the server and hence overload it.

Can this be switched off in 2019r3/2020r1?

In a standalone app, you should be able to control this by setting the SSL type as a command line option when you start the app using the SSLType option. See WebApplication in the docs.

The other way would be to put a load balancer / reverse proxy in front of your app.

I should have mentioned that we are using standalone web apps for this.

The SSLType settings don’t explicitly prevent client initiated secure renegotiation from occurring unless there’s something going on under the hood? Is that the case?

We are using the default TLS1.2

I’ve done a little more investigation and it looks like if we want to support this, it’s something that will need to be done in SSLSocket or as I mentioned above, put a load balancer / reverse proxy in front of your app. Recent versions of Apache have already patched for this issue.

Please file a feature request in Feedback.

1 Like

I’m curious though… did your test actually manage to crash the app?

Thanks @Greg_O_Lone. I will put in a feature request as this would be useful going forward.

Our PEN test didn’t attempt to crash the system, they just raised it as a potential issue. In our live environment, we can strictly restrict the hosts that can access our API so that mitigates the issue. If we were exposing our API to the internet however, this might be a more serious issue.

We still don’t recommend that. Using something like Apache or Nginx in front of your app really is the safest thing to do when putting a web app out on the internet.

Thanks for the advice Greg. I shall bear that in mind.

I’ve raised a feature request: