Customer using a reverse Proxy and found vulnerability "Secure Client-Initiated Renegotiation" supported when scanning from https://www.ssllabs.com.
This is false negative. Running scan in Qualys (www.ssllabs.com) is simply checks to see if the client renegotiation is enabled or not. If it is able to successfully renegotiate, it probably assumes that the DUT (Device Under Test) is vulnerable.
To clarify the behavior of SG, the first renegotiation works fine. During the second renegotiation attempts, the SG will drop the connection (after the ssl handshake is completed). There is only one connection and the renegotiation happens over the same connection. From the result, we can claim that the SG is not vulnerable based on the testing we have done.
This is false negative. SGOS 188.8.131.52 and above are not vulnerable. For other SGOS branches, please see from https://bto.bluecoat.com/security-advisory/sa74.
Imported Document ID: 000022221
Subscribing will provide email updates when this Article is updated. Login is required.