12 Replies Latest reply on Apr 7, 2017 7:58 AM by antonio marques

    Disable TLS client renegotiation support

    antonio marques

      Hi,

       

      I have an openfire server (3.10.2) configured with TLS required. When running a ssl analyzer (sslyze) i have the following ouput:

        Client-initiated Renegotiation:VULNERABLE - Server honors client-initiated renegotiations

      As i understand there is a vulnerability that allows a DoS attack using the TLS renegotiation.

      I searched the documentation but couldn't find any relevant data.

      Is there a way (or workaround) to disable this on openfire?

       

      Openssl:

      Version 1.0.1e

      Release 60.60.el7

       

      Openfire : 3.10.2 (same occurs in current release -> 4.0.4)

        • Re: Disable TLS client renegotiation support
          Todd Swantek

          Same issue for me as well.  We have one Windows 2012 server running Openfire that does not throw this NESSUS scan vulnerability. Our Windows 2008 Openfire servers are.

          • Re: Disable TLS client renegotiation support
            Tariq Zubairy

            We are also getting the following output from sslyze  Client-initiated Renegotiation: VULNERABLE...

            Findings after debugging the Openfire (4.1.3)

            ------------------------------------------------

            There are two potential paths due to which we can get this VULNERABILITY

            1. ADMIN Console with ssl enabled is using Jetty
            2. Whenever we enable BOSH with ssl enabled also uses Jetty

            Openfire creates the SslContextFactory object (org.eclipse.jetty.util.ssl.SslContextFactory) in EncryptionArtifactFactory (org.jivesoftware.openfire.spi.EncryptionArtifactFactory) and Jetty provide the API to set whether the client renegotiation is allowed or not. Default value is set to true. I have tested by changing the code of Openfire by adding a single line of code right after the creation of SslContextFactory obejct

                 sslContextFactory = new SslContextFactory();           

                 sslContextFactory.setRenegotiationAllowed(false);

             

            and everything(Admin Console and BOSH) works fine. I don't know why Openfire need client renegotiation. I think if this is not needed then it should consider as a bug and should be fixed in the next release.

            • Re: Disable TLS client renegotiation support
              antonio marques

              I found the solution and it is not related to Openfire like some users already pointed to.

              It is only needed to add a flag to the java command that starts Openfire.

              The flag is -Djdk.tls.rejectClientInitiatedRenegotiation=true

              and can be added for example in the init.d script to OPENFIRE_OPTS

              OPENFIRE_OPTS="${OPENFIRE_OPTS} -DopenfireHome=${OPENFIRE_HOME} -Dopenfire.lib.dir=${OPENFIRE_LIB} -Djdk.tls.rejectClientInitiatedRenegotiation=true"

              1 of 1 people found this helpful