As you may be aware some time ago a tool to exploit a known SSL Renegotiation DoS issue was released. More technical details about the DoS can be found on Vincent Bernat’s blog.
What has this to do with Forefront TMG 2010 ?
It has if you published a secure server with TMG using the web server publishing rules because:
- SSL client side initiated renegotiation is enabled by default(even when you don’t needed); I’ve notified about this Microsoft Security Response Center on 25.10.2011.
- during the DoS attack hundreds of SSL handshakes are triggered within the same TCP connection nullifying TMG’s flood mitigation features.
- TMG makes use of the (limited) Schannel so you cannot disable the client side initiated renegotiation on TMG if you use client certificate authentication.
- TMG’s NIS currently does not include a signature to mitigate against the SSL Renegotiation DoS.
By client side initiated renegotiation we understand that the client(e.g. browser) is allowed to initiate SSL renegotiation to the server(TMG). This is not needed for secure web server publishing rules even with client certificate authentication. What is needed is the server side initiated renegotiation(for client certificate authentication), meaning allow TMG to initiate SSL renegotiation to client.
From what I have seen, on TMG when you use client certificate authentication:
- between the client and TMG a SSL connection is established without the server asking for a client cert.
- the client issues its HTTP request.
- TMG renegotiates asking for a client cert.
- if the client presents the correct cert will get access; if not an error (HTTP) message will be presented by TMG.
With the DisableRenegoOnServer registry entry on the TMG(server) we can control two separate functions:
- client side initiated renegotiation –> what we want to disable as we don’t want the server to respond to renegotiation requests from the client due to the SSL Reneg DoS issue.
- server side initiated renegotiation –> what we need enabled as we want the server(TMG) to be able to initiate renegotiation requests to clients in secure web server publishing scenarios using client certificate authentication.
The Windows Schannel currently(to my knowledge) does not provide separate registry entries for the above functions.
Bottom of the line:
- TMG, in its default configuration, is vulnerable to the SSL DoS renegotiation attack.
- TMG in secure web server publishing scenarios using client certificate authentication is vulnerable to the SSL DoS renegotiation attack; no current work around on TMG itself exist. If you have another device(e.g. IPS) in front of TMG you may create(if possible) a rule to mitigate against the SSL DoS renegotiation attack.
- Setting the DisableRenegoOnServer registry entry to 1 on TMG mitigates against the SSL DoS renegotiation attack but TMG will not be able to handle the above mentioned scenario.
Note: TMG can also be configured to request a client certificate but this does not seem to need SSL renegotiation. There are further implications regarding to SSL renegotiation and TMG not discussed here.
Extra note: Sites published with TMG can be potentially found using Google. Set the DisableRenegoOnServer registry entry to 1 on TMG if you do not need the SSL renegotiation feature.
 THC-SSL-DOS tool to verify the performance of SSL
 IETF mailing lists [TLS] SSL Renegotiation DOS
 SSL computational DoS mitigation
 Overview of flood mitigation
 Using client certificate authentication for publishing over HTTPS
 About Kerberos constrained delegation
 Microsoft Security Advisory: Vulnerability in TLS/SSL could allow spoofing
 Web listener advanced authentication options