[openssl-dev] [RFC PATCH] doc/ssl: describe the possible DoS via repeated SSL session re-negotiation
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Aug 8 20:16:58 UTC 2016
On Mon, Aug 08, 2016 at 08:57:26PM +0200, Sebastian Andrzej Siewior wrote:
> This is a computation attack and unfortunately the way a SSL handshake
> works. I understand that this `feature' is part of the TLS specification
> and I am not trying to nuke from openssl. Instead I would like to
> describe the possible attack and some countermeasures to mitigate its
> outcome. Having it in the doc section would allow one to ping other
> projects, point them to this section and ask them if they could drop the
> support for re-negotiation request from the client. From looking around,
> nginx for instance does not support renegotiation from client's side.
Postfix supports rate limiting new session creation:
http://www.postfix.org/postconf.5.html#smtpd_client_new_tls_session_rate_limit
Other servers can implement similar resource limits as appropriate.
--
Viktor.
More information about the openssl-dev
mailing list