[openssl-dev] [RFC PATCH] doc/ssl: describe the possible DoS via repeated SSL session re-negotiation
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Aug 9 19:26:44 UTC 2016
On Tue, Aug 09, 2016 at 09:18:58PM +0200, Sebastian Andrzej Siewior wrote:
> > Postfix supports rate limiting new session creation:
> >
> > http://www.postfix.org/postconf.5.html#smtpd_client_new_tls_session_rate_limit
> >
> > Other servers can implement similar resource limits as appropriate.
>
> I don't really know what I am supposed to do with this information. Do
> you want me to add this as an example into the doc patch or do you
> simply point out that others already took precautions?
CPU exhaustion attacks on servers are a fundamental feature of TLS.
I am not sure that OpenSSL needs to say anything about this. Server
applications that want to protect against inadvertent DoS by buggy
clients can implement the obvious counter-measure (rate limit
handshakes with clients that generate too many new sessions per
sample interval). If you feel that this is not obvious, and others
agree, feel free to propose some text.
Note, that deliberate DoS and especially DDoS will overcome even
rate limits, by attacking from multiple clients, or just flooding
the target network. So this can only protect against accidents,
not malice by capable adversaries.
--
Viktor.
More information about the openssl-dev
mailing list