TFO is interesting because it lets UDP-style attacks happen at the TCP level. Normally you can't do a TCP attack unless you have a valid client IP address.
Imagine connecting once and then sending the syncookie to the botnet. This might be outside the scope of things OpenSSL cares about and I know recent Linux kernels have some mitigation capabilities. Also note that the server side should just work with no changes, it's on a TFO client that needs API changes. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
