Problem

-- Is TLS renegotiation disabled because of CVE-2011-1473?

-- This CVE is exploiting the fact that, when a new SSL connection is being negotiated, the server will typically spend significantly more CPU resources than the client.

Resolution

- Renegotiation was never disabled on API Gateway listener because it doesn't make sense when we have a session cache.

- Out of date versions of SSL may be subject to a renegotiation related vulnerability, but that is remediated by so-called Secure Renegotiation in the latest TLS standards.

- The open issue is actually not really a vulnerability, but is due to the SSL/TLS renegotiation. MITRE flags it as "DISPUTED" (see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473)

- Best solution is to remove all RSA based cipher suites and to leave only DH based one : you then get more load on the client's side than on the server's one, so that a DOS attempt will result in DOSing the attacker.