Renegotiation allowing to insert data into HTTPS sessions

OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 PCI v3.2-6.5.4 OWASP PC-C1 CAPEC-217 CWE-757 HIPAA-164.306(a) ISO27001-A.14.1.2 WASC-04 WSTG-CRYP-01

A Secure Socket Layer/Transport Layer Security process allows the exchange of the details of a handshake after a connection is made with the server. A number of Internet connections require SSL renegotiation. Renegotiation is required for making an SSL connection when no client-server authentication is initially required. Renegotiation adds authentication details to the current connection, rather than dropping and creating a new SSL connection.

There are many servers that do not properly associate renegotiation handshakes with an existing connection. This bug will allow an attacker to insert malicious data into HTTPS sessions and possibly other types of sessions protected by TLS or SSL.


This vulnerability can be exploited by Man-in-the-middle attackers. A man-in-the-middle attack is a client vulnerability with disastrous power in cryptography and computer security world. It is an attack in which the attacker secretly monitors and alters the communication between two parties.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Upgrade the OpenSSL to the latest version.

Related Articles