NetVault https port may allow client-initiated renegotiations which is a condition for renegotiation process vulnerability part of CVE-2011-1473
Renegotiation
SSL/TLS protocols allow the client and server re negotiate new encryption keys during a session. A vulnerability was discovered for which an attacker could exploit a flaw in the renegotiation process injecting content into the start of the session, compromising the integrity of the session.
For the vulnerability to occur, two conditions have to be met:
The first condition does not occur with NetVault server. I.e., NetVault server supports secure renegotiation. Therefore it can be considered that NetVault is not affected by renegotiation process vulnerability.
However, NetVault server meets the second condition, allows client-initiated renegotiations. To reinforce compliance, it could be considered modify NetVault server to not allow client-initiated renegotiation.
Check secure renegotiation support
The following command could be used to check if a NetVault Server supports secure renegotiation:
# openssl s_client -connect :8443
can be the address for a NetVault Server running in Windows OS or Linux OS.
Check the output to see if secure renegotiation is supported or not supported.
Check client-initiated renegotiation
To check if client-initiated renegotiation is allowed, issue the command:
openssl s_client -connect :8443
For example:
# openssl s_client -connect 10.8.224.114:8443
Once the connection with NetVault server is established, the server will wait for the next command to be input. Write the following two lines to initiate a renegotiation (as a result of specifying R in the second line), and click return:
HEAD / HTTP/1.0
R
If NetVault server does not support client initiated renegotiation will return an error and the connection will end or time out.
But if NetVault server supports client initiated renegotiation, the connection will keep active, waiting for additional commands:
RENEGOTIATING
depth=0 C = EX, ST = State, L = City, O = Company, OU = Department, CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = EX, ST = State, L = City, O = Company, OU = Department, CN = localhost
verify error:num=10:certificate has expired
notAfter=Jul 31 17:38:54 2019 GMT
verify return:1
depth=0 C = EX, ST = State, L = City, O = Company, OU = Department, CN = localhost
notAfter=Jul 31 17:38:54 2019 GMT
verify return:1
NetVault uses port 8443 as the default HTTPS listen port for incoming Web Service connections. When installing the server, if the default port (8443) is in use by any other application, NetVault assigns the first available port in the port range 50486 to 65535.
HTTPS Listen port for incoming Web Service connections: By default, NetVault uses port 8443 for HTTPS. If this port is in use by any other server or application, configure an alternate port.
WebService security certificate file: To use HTTPS, provide a SSL certificate.
NetVault provides a self-signed certificate (server.crt), which resides in the etc directory under the NetVault installation directory. This certificate generates warnings in most browsers. For the browser to accept a certificate without warnings, currently considering ( providing a valid certificate file signed by a trusted certificate authority.
Enhancement request is raised NV-I-761 which is currently in consideration, For more information please follow the release notes for the upcoming releases.
