If the flaw is reported against a system that the scanner
accesses directly—perhaps only passing through a firewall—then how to react to
the report is pretty straightforward. In these instances, I have not
encountered any circumstance in which the flaw might be a false positive if the
service is allowing TLS renegotiation. The best recommendation in these
situations is to disable TLS renegotiation if possible. In most cases,
renegotiation is not truly needed.
Things get more interesting when load balancers are
involved, at which point it depends on the how the load balancers are
implemented. Usually, one of two basic approaches are used when implementing a
load balancer between the internet and the service.
First scenario: the load balancer is completely
responsible for handling the SSL. The SSL connection is received, and a new
connection is established between the load balancer and the service. In this
approach, the connection between the service and the load balancer may or may
not be encrypted. In this implementation, if TLS renegotiation is enabled on
the load balancer, it is not a false positive because the load balancer is
responsible for the renegotiation taking place, and the flaw can manifest.
Second scenario: the load balancer passes through the
connection to the service and never interrupts the SSL channel, so the end
service decides whether TLS renegotiation occurs. It is this circumstance that can
cause tests for TLS renegotiation to be false. The load balancer will report
back to the scanner or tester that it handles TLS renegotiation, but it is, in
fact, the service that is responsible. If the service itself does not support
TLS renegotiation, the finding is very likely a false positive.
Secure Renegotiation has been added as an extension to the
TLS protocol to support RFC 5746; therefore, if you utilize an SSL
implementation it should support Secure Renegotiation. Otherwise, if an RFC
5746-compliant SSL library must be used (and unless there is an explicit need
for TLS renegotiation to be enabled), it is recommended that you disable it.