mod_ssl Bug and SSL Labs Renegotiation Test
Update March 13, 2019: SSL Labs Renegotiation Test is re-enabled on the production instance.
Update March 12, 2019: SSL Labs Renegotiation Test is re-enabled on thedevelopment instance, and will be live on the production instance this week.
Update February 20, 2019: To give more time to fix, we will re-enable the SSL Labs Renegotiation Test on March 11, 2019 (two additional weeks).
The Apache Security Team fixed a bug which triggers whenever a client attempts renegotiation with Apache HTTP Server 2.4.37 and OpenSSL 1.1.1. This bug causes the Apache httpd service to consume 100% CPU. Details of the bug can be found at: https://bz.apache.org/bugzilla/show_bug.cgi?id=63052
Local testing by Qualys confirms that the SSL Labs renegotiation test triggers this bug for the above-mentioned server configuration, and can be used to cause the Apache httpd service on a target system to consume 100% CPU.
To allow Apache users time to apply the fix, SSL Labs has disabled the Renegotiation Test for one month, and we will re-enable it on February 25, 2019. While the test is disabled, users will not see the following in SSL Labs reports:
AcknowledgementsWe would like to thank the Apache Security Team for working with us on this issue.