> > Real-world servers already do this. It's kind of redundant
> > for OpenSSL to
> > do this as well because almost all applications also support non-SSL
> > connections. A renegotiation callback might not be a bad idea though, so
> > that applications can better track the load clients are placing.
> This happens in SSL leyer, not application layer.
If by "this" you mean the renegotiation, yes. If by "this", you mean the
decisions to disconnect a client that is placing excessive load, no. This is
why I suggested a renegotiation callback.
> Letter 'R' when send to "openssl" command tigers
> SSL_renegotiate()/SSL_do_handshake() (and is
> not send to server), it works like a control character
> to "openssl" command.
> As you see, client is sending client_key_exchange handshake packet
> which must be decrypted on server side with server RSA private key.
> In other words, after establishing SSL connection client
> may execute SSL_renegotiate()/SSL_do_handshake() and server
> (if has no SSL "renegotiate_rate_limit") has to use his private RSA key
> (if we use RSA) witch is very time consuming.
> All this happens within one tcp connection.
> Application layer do not see this.
Right, that's why I suggested making it visible to the application
layer.
The application layer already has to have code to handle excessive load
because there are many ways to place load that are not visible at the SSL
layer. Better to have one complete solution than two pieces of a solution.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
