As originally specified, all versions of the SSL and TLS protocols (up to and including TLS/1.2) were vulnerable to a Man-in-the-Middle attack (CVE-2009-3555) during a renegotiation. This vulnerability allowed an attacker to "prefix" a chosen plaintext to the HTTP request as seen by the web server. A protocol extension was developed which fixed this vulnerability if supported by both client and server.
For more information on Man-in-the-Middle attack (CVE-2009-3555), see:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
Default mode
When the directive SSLInsecureRenegotion is not specified in the configuration, Oracle HTTP Server operates in compatibility mode.
In this mode, vulnerable peers that do not have Renegotiation Info/Signaling Cipher Suite Value (RI/SCSV) support are allowed to connect, but renegotiation is allowed only with those peers that have RI/SCSV support.
SSLInsecureRenegotiation ON
This option allows vulnerable peers that do not have RI/SCSV to perform renegotiation. Hence, this option must be used with caution, as it leaves the server vulnerable to the renegotiation attack described in CVE-2009-3555.
SSLInsecureRenegotiation OFF
If this option is used, only peers that support RI/SCSV will be allowed to negotiate and renegotiate a session. This is the most secure and recommended mode.
Category | Value |
---|---|
Syntax |
SSLInsecureRenegotiation ON | OFF |
Example |
SSLInsecureRenegotiation ON |
Default |
The default value is neither |
To configure SSLInsecureRenegotiation, edit the ssl.conf file and set SSLInsecureRenegotiation
ON
/OFF
globally or virtually to enable or disable insecure renegotiation.