CVE-2009-3555 vulnerability


(Chris Lynch) #1

Octopus deploy tentacle showing vulnerable to TLS Protocol Session Renegotiation Security Vulnerability. (CVE-2009-3555)

Is there any fix for disabling client tls protocol renegotiation so that I can pass a qualys scan? I’ve seen a couple of older threads on this issue but none of them provided a solution.


#3

Hi @ChrisLynch

Thanks for getting in touch, sorry for the delay in getting back to you on this one.

We’ve done some research on this particular issue, and it appears that this is the result of not having a properly configured/patched OS, not a fault in Octopus as such. Reading the details of the CVE points us to these patches. I would also recommend ensuring that SSLv3/TLS1.0/TLS1.1 are all disabled, IIS Crypto is a good tool that can assist here.

I hope that helps, please let me know if you have any follow up questions,

Regards,
Alex