On Mon, Aug 08, 2016 at 08:57:26PM +0200, Sebastian Andrzej Siewior wrote:
> This is a computation attack and unfortunately the way a SSL handshake
> works. I understand that this `feature' is part of the TLS specification
> and I am not trying to nuke from openssl. Instead I would like to
> describe the possible attack and some countermeasures to mitigate its
> outcome. Having it in the doc section would allow one to ping other
> projects, point them to this section and ask them if they could drop the
> support for re-negotiation request from the client. From looking around,
> nginx for instance does not support renegotiation from client's side.
Postfix supports rate limiting new session creation:
http://www.postfix.org/postconf.5.html#smtpd_client_new_tls_session_rate_limit
Other servers can implement similar resource limits as appropriate.
--
Viktor.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
