Hello,
Unlike other OpenSSL options provided on Exim via "openssl_options", it is not possible for the moment to set the current option on OpenSSL 1.1.1: "-no_renegotiation" (SSL_OP_NO_NO_RENEGOTIATION) in order to avoid the possibility of DDOS on "Client-initiated renegotiation". That's a real shame. Client-initiated renegotiation is not recommended as it opens a server to DoS attacks inside a TLS connection (like TLS 1.2 Essentially). It should therefore be disabled. See the "IT Security Guidelines for TLS" for more information: https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-g uidelines-for-transport-layer-security-tls. Do you know how I could force this option directly on OpenSSL? Like an openssl.cfg configuration ! Regards JME -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
