DoS vulnerability due to client-initiated renegotiation

From: David Prothero <>
Date: Wed, 2 Nov 2011 13:34:14 -0700

HAProxy version 1.4.18

stunnel 4.44 with X-Forwarded-For patch

OpenSSL 0.9.8k 25 Mar 2009

Ubuntu 10.04.3 LTS  

I'm submitting this here rather than to stunnel's list as I'm not using the most recent version of stunnel due to needing the X-Forwarded-For patch.  

When I scan my domain ( using this tool:  

It reports this possible vulnerability:  

"This server is easier to attack via DoS because it supports client-initiated renegotiation"  

With a link to this article: ce-attacks.html  

I have been looking for a way to disable client-initiated renegotiation on stunnel/openssl but haven't found a way. On the options description here:  

It mentions "NO_SESSION_RESUMPTION_ON_RENEGOTIATION" but that doesn't sound like the same thing as disabling renegotiation. I tried that option nonetheless and the SSL labs scan still reported the same vulnerability.  

This isn't a deal breaker, I was just curious if anyone else had run into this and was concerned about it and/or knew of a way to disable client-initiated renegotiation.  



David Prothero

I.T. Director

Pharmacist's Letter / Prescriber's Letter

Natural Medicines Comprehensive Database

Ident-A-Drug /


(209) 472-2240 x231

(209) 472-2249 (fax)
Received on 2011/11/02 21:34

This archive was generated by hypermail 2.2.0 : 2011/11/02 21:45 CET