Hi,
our security scanner reports
SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094) for port TCP/636. I could not find a way to disable SSL/TLS renogitation for openldap.
How can this be disabled?
Any help is greatly appreciated.
Thank you.
Stefan
--On Thursday, March 3, 2022 9:55 AM +0100 Stefan Bauer cubewerk@gmail.com wrote:
Hi,
our security scanner reports
SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094) for port TCP/636. I could not find a way to disable SSL/TLS renogitation for openldap.
How can this be disabled?
I would note that both of those CVE's are disputed and "fixing" them was rejected by RedHat (which it appears you are using). I'd generally question the report by the security software.
However, if you use the Symas OpenLDAP packages which will provide a current release of OpenSSL and OpenLDAP instead of the distribution provided packages you can set the minimum TLS supported protocol to version 1.3, which forbids renegotiation.
Regards, Quanah
openldap-technical@openldap.org