https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-renegotiation/m-p/27979#M20421 <HTML><HEAD></HEAD><BODY><P>Is there a way to disable SSL renegotiation at firewall level ?</P><P></P><P>Disabling it server side (<A href="http://support.microsoft.com/kb/977377" title="http://support.microsoft.com/kb/977377"> Microsoft Security Advisory: Vulnerability in TLS/SSL could allow spoofing</A> ) breaks activeSync. I'd like to test a different scenario to get rid of the many false positives we get for the SSL Renegotiation Denial of Service Vulnerability.</P></BODY></HTML> Mon, 09 Jul 2012 06:22:55 GMT dieter_b 2012-07-09T06:22:55Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-renegotiation/m-p/27979#M20421 <HTML><HEAD></HEAD><BODY><P>Is there a way to disable SSL renegotiation at firewall level ?</P><P></P><P>Disabling it server side (<A href="http://support.microsoft.com/kb/977377" title="http://support.microsoft.com/kb/977377"> Microsoft Security Advisory: Vulnerability in TLS/SSL could allow spoofing</A> ) breaks activeSync. I'd like to test a different scenario to get rid of the many false positives we get for the SSL Renegotiation Denial of Service Vulnerability.</P></BODY></HTML> Mon, 09 Jul 2012 06:22:55 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-renegotiation/m-p/27979#M20421 dieter_b 2012-07-09T06:22:55Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-renegotiation/m-p/27980#M20422 <HTML><HEAD></HEAD><BODY><P>According to the admin guide (page 178) you can setup custom IPS signatures based on SSL so I hope its possible to setup a vuln signature regarding ssl negotiation which you then block if this comes client -&gt; server.</P><P></P><P>Unfortunately I currently dont have any example on how to setup such signature.</P></BODY></HTML> Mon, 09 Jul 2012 12:46:19 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-renegotiation/m-p/27980#M20422 mikand 2012-07-09T12:46:19Z