From c7dee9ab385c03dc60a838445e6310ebd0cda966 Mon Sep 17 00:00:00 2001 From: Sasha Romijn Date: Tue, 20 Aug 2024 20:11:19 +0200 Subject: [PATCH] Make sensitivity of is_vulnerable_to_client_renegotiation_dos configurable --- sslyze/plugins/session_renegotiation_plugin.py | 2 +- sslyze/server_setting.py | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/sslyze/plugins/session_renegotiation_plugin.py b/sslyze/plugins/session_renegotiation_plugin.py index ea033c89..46181869 100755 --- a/sslyze/plugins/session_renegotiation_plugin.py +++ b/sslyze/plugins/session_renegotiation_plugin.py @@ -180,7 +180,7 @@ def _test_client_renegotiation(server_info: ServerConnectivityInfo) -> Tuple[_Sc try: # Do a reneg multiple times in a row to be 100% sure that the server has no mitigations in place # https://github.com/nabla-c0d3/sslyze/issues/473 - for i in range(10): + for i in range(server_info.network_configuration.client_renegotiation_attempts): ssl_connection.ssl_client.do_renegotiate() accepts_client_renegotiation = True diff --git a/sslyze/server_setting.py b/sslyze/server_setting.py index 0b1c61de..954d7219 100644 --- a/sslyze/server_setting.py +++ b/sslyze/server_setting.py @@ -173,6 +173,9 @@ class ServerNetworkConfiguration: xmpp_to_hostname: The hostname to set within the `to` attribute of the XMPP stream. If not supplied, the server's hostname will be used. Should only be set if the supplied `tls_wrapped_protocol` is an XMPP protocol. + client_renegotiation_attempts: The number of attempts to make when testing the client initiated + renegotiation DoS vector. If the server accepts this many attempts, + is_vulnerable_to_client_renegotiation_dos is set. Default: 10. network_timeout: The timeout (in seconds) to be used when attempting to establish a connection to the server. network_max_retries: The number of retries SSLyze will perform when attempting to establish a connection @@ -184,6 +187,7 @@ class ServerNetworkConfiguration: tls_client_auth_credentials: Optional[ClientAuthenticationCredentials] = None xmpp_to_hostname: Optional[str] = None + client_renegotiation_attempts: int = 10 network_timeout: int = 5 network_max_retries: int = 3