SSL renegotiation attacks

Description
Security scanner software may indicate that Access Server's web services are capable of SSL renegotiation, which could lead to SSL renegotiation attacks. 

This issue is related to an older version of the OpenSSL library.  On a newer library, we control this setting and simply have it turned off.  By default therefore Access Server 2.9.0 and above will turn off SSL renegotiation entirely on a platform that uses OpenSSL 1.1.0 or higher.

Solution

Update to an operating system with OpenSSL 1.1.0 or higher and update Access Server to 2.9 or higher.

Do not attempt to update only OpenSSL separately in the OS. That will not work. Access Server is compiled to the version that comes with the OS. We build Access Server against the version that comes with the OS.  We stick to the version that comes with the OS, or else we would have to build a combination of software that wasn't expected to run or meant to run on this OS.  Programs expect a certain major version of a library to be present in the OS and deviating from that is generally considered a bad idea, as well as a poor use of development resources.

The solution is to run a platform that has OpenSSL 1.1.0 or higher by default.  If your OS doesn't come with OpenSSL 1.1.0 or higher, you need to choose an OS that does.