[openssl-users] Disabling Client-Initiated TLS renegotiation
Sashank Mullapudi (samullap)
samullap at cisco.com
Tue Nov 22 06:51:26 UTC 2016
Hi,
As part of securing our web interfaces, we wanted to disable client-initiated TLS renegotiation.
The reasoning for this requirement is as follows- Generally, renegotiation of TLS sessions is much more resource-intensive for the server than the client, and should therefore not be performed at will to avoid degrading performance. Disabling client from renegotiating secures the server from undergoing a DoS attack due to continuous renegotiation requests.
I see that there is an option SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, but that is to secure the renegotiation, not disable it.
I wanted to check if there is a patch or flag available to disable any negotiation initiated from the client side.
Thanks and Regards,
Sashank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161122/f9d85388/attachment.html>
More information about the openssl-users
mailing list