mod_ssl Bug and SSL Labs Renegotiation Test

by
Yash Sannegowda
from on (#47N6M)

Update March 13, 2019: SSL Labs Renegotiation Test is re-enabled on the production instance.

Update March 12, 2019: SSL Labs Renegotiation Test is re-enabled on thedevelopment instance, and will be live on the production instance this week.

Update February 20, 2019: To give more time to fix, we will re-enable the SSL Labs Renegotiation Test on March 11, 2019 (two additional weeks).

The Apache Security Team fixed a bug which triggers whenever a client attempts renegotiation with Apache HTTP Server 2.4.37 and OpenSSL 1.1.1. This bug causes the Apache httpd service to consume 100% CPU. Details of the bug can be found at: https://bz.apache.org/bugzilla/show_bug.cgi?id=63052

Local testing by Qualys confirms that the SSL Labs renegotiation test triggers this bug for the above-mentioned server configuration, and can be used to cause the Apache httpd service on a target system to consume 100% CPU.

To allow Apache users time to apply the fix, SSL Labs has disabled the Renegotiation Test for one month, and we will re-enable it on February 25, 2019. While the test is disabled, users will not see the following in SSL Labs reports:

renegotiation-full-600x162.png

Acknowledgements

We would like to thank the Apache Security Team for working with us on this issue.

External Content
Source RSS or Atom Feed
Feed Location https://community.qualys.com/blogs/securitylabs/feeds/tags/ssl
Feed Title
Feed Link https://community.qualys.com/
Reply 0 comments