Unable to Reproduce Medium Severity Vulnerability

Hello everyone,

I routinely use GSM to scan various systems our business uses, including our websites. In the past 2 months a new entry has appeared for one of our websites. I have reported it to the ISP who runs the webserver, but they are struggling to reproduce the error, and hence to do anything to fix it.

I’m therefore looking for more information or guidance on how to treat it?

The title for the vulnerability is: SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094)

The test is being run against: [] www.tongue-tied.co.uk

I’ve copied the full detail of the report entry below, in case its of any use. Can anyone give me any more information on how to reproduce this error, and/or how to fix it?


The remote SSL/TLS service is prone to a denial of service (DoS) vulnerability.

Detection Result

The following indicates that the remote SSL/TLS service is affected: Protocol Version | Successful re-done SSL/TLS handshakes (Renegotiation) over an existing / already established SSL/TLS connection ---------------------------------------------------------------------------------------------------------------------------------- TLSv1.0 | 10 TLSv1.1 | 10 TLSv1.2 | 10


The flaw exists because the remote SSL/TLS service does not properly restrict client-initiated renegotiation within the SSL and TLS protocols. Note: The referenced CVEs are affecting OpenSSL and Mozilla Network Security Services (NSS) but both are in a DISPUTED state with the following rationale: > It can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment. Both CVEs are still kept in this VT as a reference to the origin of this flaw.

Detection Method

Checks if the remote service allows to re-do the same SSL/TLS handshake (Renegotiation) over an existing / already established SSL/TLS connection.

Affected Software/OS

Every SSL/TLS service which does not properly restrict client-initiated renegotiation.


The flaw might make it easier for remote attackers to cause a DoS (CPU consumption) by performing many renegotiations within a single connection.


Solution Type:


Users should contact their vendors for specific patch information. A general solution is to remove/disable renegotiation capabilities altogether from/in the affected SSL/TLS service.


and welcome to this community forums. Info on how to reproduce this vulnerability can be found in the references linked in the VT in question like e.g. the following:

Note: Link in the VT is the “original” one which seems to be a 404 these days, this will be replaced in the VT soon.