Hi,
I am currently working on getting a server with CentOS 5.11 through PCI certification.
I get : TLS Protocol Session Renegotiation Security Vulnerability
I don't know what to do about it and it only effects the webmin/virtualmin login (usermin port is closed). All SSL settings are set as in https://www.virtualmin.com/documentation/security/pci recommended. I have checked on redhat and here is what they say : https://access.redhat.com/articles/20490 which does not help much as there seems to be no solution available right now. As additional info, we are using two factor authentication on top of a SSL connection.
Any hints on what to do?
Here the scan report: THREAT REFERENCE
Summary: TLS Protocol Session Renegotiation Security Vulnerability
Risk: High (3) Port: 47110/tcp Protocol: tcp Threat ID: misc_opensslrenegotiation
Details: Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability 06/11/12 CVE 2009-3555 Multiple vendors TLS protocol implementations are prone to a security vulnerability related to the session-renegotiation process which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context.
Information From Target: Service: 47110:TCP Session Renegotiation succeeded on 47110:TCP and secure renegotiation did not succeed