[openssl-users] Disabling Client-Initiated TLS renegotiation

Sashank Mullapudi (samullap) samullap at cisco.com
Tue Nov 29 03:55:47 UTC 2016

Resending this hoping for a response from someone who has information on disabling TLS renegotiation from the Client side.


From: samullap <samullap at cisco.com<mailto:samullap at cisco.com>>
Date: Tuesday, 22 November 2016 at 12:21 PM
To: "openssl-users at openssl.org<mailto:openssl-users at openssl.org>" <openssl-users at openssl.org<mailto:openssl-users at openssl.org>>
Cc: "Ram Mohan R (rmohanr)" <rmohanr at cisco.com<mailto:rmohanr at cisco.com>>, "Anil Kumar (anilkum)" <anilkum at cisco.com<mailto:anilkum at cisco.com>>, "Nikhil Mittal (nimittal)" <nimittal at cisco.com<mailto:nimittal at cisco.com>>
Subject: Disabling Client-Initiated TLS renegotiation


As part of securing our web interfaces, we wanted to disable client-initiated TLS renegotiation.

The reasoning for this requirement is as follows- Generally, renegotiation of TLS sessions is much more resource-intensive for the server than the client, and should therefore not be performed at will to avoid degrading performance. Disabling client from renegotiating secures the server from undergoing a DoS attack due to continuous renegotiation requests.

I see that there is an option SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, but that is to secure the renegotiation, not disable it.

I wanted to check if there is a patch or flag available to disable any negotiation initiated from the client side.

Thanks and Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161129/a9bc6fe4/attachment-0001.html>

More information about the openssl-users mailing list