GFI Support Home Start a conversation Sign in
Start a conversation
  1. KerioConnect
  2. KerioConnect - Security & SSL
  3. Articles

Addressing "Secure Client Renegotiation" Warning in SSL/TLS audits

Overview

During a security audit of a Kerio Connect server, you may encounter a warning for “Secure Client Renegotiation.”
This warning indicates that your server may permit TLS renegotiation, which can expose it to potential security vulnerabilities such as man-in-the-middle (MITM) attacks.

Common symptoms include:

  • Security scanners or SSL testing tools flagging "Secure Client Renegotiation"

  • Lower SSL scores on tools like SSL Labs

  • Warnings or errors during TLS handshake logs

This article explains how to disable TLS renegotiation and ensure your SSL/TLS configuration remains secure on your Kerio Connect server.

Solution

Configure Kerio Connect to Use TLS 1.3

Kerio Connect supports TLS 1.3, which does not allow renegotiation by design.
To eliminate the “Secure Client Renegotiation” warning, configure Kerio Connect to only use TLS 1.3 using the steps highlighted in our Changing SSL/TLS Configuration article.

Verify the Configuration

After applying the changes, confirm that renegotiation is disabled.

Option 1: Using OpenSSL

Run the following command (replacing yourserver and port as appropriate):

openssl s_client -connect yourserver:443 -tls1_2

You should see no reference to renegotiation in the output.

Option 2: Using Online Tools

Use the SSL Labs Server Test to:

  • Confirm TLS 1.3 is active

  • Verify renegotiation is not supported

  • Review the overall SSL/TLS security rating

Summary

The “Secure Client Renegotiation” warning indicates that TLS renegotiation is enabled, which can pose a security risk.
 By configuring Kerio Connect to use TLS 1.3, you inherently disable renegotiation and strengthen your server’s SSL/TLS configuration, improving overall security and compliance with modern standards.

FAQ

1. Why does Kerio Connect show a “Secure Client Renegotiation” warning?
 This occurs when your server allows clients to renegotiate TLS connections, which can introduce security risks. TLS 1.3 prevents renegotiation entirely.

2. Will switching to TLS 1.3 affect email clients or deliverability?
 While enforcing higher TLS levels improves security, it may block communication with servers that support only older TLS versions or none at all.


Choose files or drag and drop files
atlas_studio
kb_automation
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted

Comments