[openssl-dev] [RFC PATCH] doc/ssl: describe the possible DoS via repeated SSL session re-negotiation
Sebastian Andrzej Siewior
openssl-dev at ml.breakpoint.cc
Thu Aug 11 11:50:53 UTC 2016
On 2016-08-11 11:34:24 [+0200], Hubert Kario wrote:
> it all depends on the environment, in some renegotiation is completely
> unnecessary (public HTTP servers without client certificate based
> authentication), in others just client-initiated renegotiation is needed
> (typical configuration for HTTP with client certificates), while in other
Is this renegotiation (in this case) triggert by the client or by the
server? I have here access to a few servers which require a client certs
and they don't support renegotiation (triggert by the client) right
after connect.
> still renegotiation is necessary for both sides (long sessions that want the
> ability to renew encryption keys).
You are talking here about long sessions. A simple rate limit would be
okay. My wording was "remove client initiated renegotiation if possible"
I think. Also keeping a rate limit per connection would be nice then.
Sebastian
More information about the openssl-dev
mailing list