Tls1 and renegotiation vulnerabilities

swiars 2022-06-06 07:01:18 UTC #1

Hello ,

We have 2 vulnerability on our dmz servers.
first one is about tls1.0 . I know that we can resolve this issue with “enable encryption” on bes admin.

our tls1.0 reg key is “disabled=1” . But our securtiy team didn’t accept this.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

Disabled=“1”

second one is aboute renegotiation. as I talked with case there is no customization about blocking renegotiation.

do you have any advice about both vulnerabilities ? did you faced with renegotiation vulnerabilities?

JasonWalker 2022-06-06 14:07:55 UTC #2

May need some more details about what your team’s actual findings are.

BigFix itself doesn’t use SCHANNEL for communications, we use OpenSSL.

Microsoft SCHANNEL and BigFix protocols can be configured independently, just need to start by determining which one is the issue.

swiars 2022-06-06 14:20:54 UTC #4

Hello Jason ,

SCHANNEL is different you are right.
they found this vulnerability on 52311 port. (It’s about SSL) .we can secure it with “enhanced security” option.

For the second vulnerability ( ssl renegotiation ) , do you have any advice ?

thank you.

swiars 2022-06-08 11:24:49 UTC #5

hello ,

do you have experience about renegotiation ? If it is secure, are we safe ?