[openssl-dev] [RFC PATCH] doc/ssl: describe the possible DoS via repeated SSL session re-negotiation
Sebastian Andrzej Siewior
openssl-dev at ml.breakpoint.cc
Thu Aug 11 19:13:45 UTC 2016
On 2016-08-11 18:04:41 [+0200], Hubert Kario wrote:
> On Thursday, 11 August 2016 13:50:53 CEST Sebastian Andrzej Siewior wrote:
> > On 2016-08-11 11:34:24 [+0200], Hubert Kario wrote:
> > > it all depends on the environment, in some renegotiation is completely
> > > unnecessary (public HTTP servers without client certificate based
> > > authentication), in others just client-initiated renegotiation is needed
> > > (typical configuration for HTTP with client certificates), while in other
> >
> > Is this renegotiation (in this case) triggert by the client or by the
> > server? I have here access to a few servers which require a client certs
> > and they don't support renegotiation (triggert by the client) right
> > after connect.
>
> in this case the renegotiation is triggered by server
good. So still no reason to accept a renegotiation request from the
client (except your "long standing connection" point (which could be
ratelimited or shifted to the server)).
Sebastian
More information about the openssl-dev
mailing list