AnsweredAssumed Answered

Wrong: "Secure Renegotiation     Supported, with client-initiated renegotiation disabled"

Question asked by ckahlo on Jun 26, 2012
Latest reply on Jun 27, 2012 by Ivan Ristić

Hi there,


just noticed the detection for "client-initiated renegotiation disabled" is incomplete.

I assume you're sending a hello request?

Better would be to send a Client Hello and watch out for a corresponding Server Hello.

Thats the way the "thc-ssl-dos"-tool from brings down servers.

People who believe their server is "secure" because of this rating might be vulnerable

against an attack using the mentioned tool.


BTW: * behaves wrong on TLS1.2 using ECDHE_RSA_* ciphers. The

hashes inside the signatures they calculate are anything but not the expected ones.

Short comment from my side can be found here:


Best regards,