AnsweredAssumed Answered

Is this a false positive on insecure renegotiation?

Question asked by Whit Blauvelt on Jun 27, 2015
Latest reply on Jun 30, 2015 by Whit Blauvelt

In testing a server running Ericom's Secure Gateway ( which we're using with their PowerTerm WebConnect) we see:


"This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F."


I found the instructions for manually testing that here: So I went and downloaded openssl-0.9.8k source, and after finding it won't compile on Ubuntu 12.04, got it to compile on an old 10.04 system. Then I ran the recommended manual test, which went like this:


# ./openssl s_client -connect NN.NN.NN.NN:443




HEAD / HTTP/1.0  <<-- entered by me

read:errno=0          <<-- immediate response


So no chance to enter an R to request renegotiation. This was quite consistent. Against other, normal sites, including, there's the opportunity to enter the R and get to one result or another. So if this is still a good manual test, then the SSL Labs test is throwing a false positive. If it's not a good manual test, it would be useful to know what is.