Hi,
The following blog post explains different mitigation techniques for
this vulnerability and among them is Rate Limiting :
http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html#rate_limiting_ssl_handshakes
I hope this will help.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 12/21/2011 7:40 PM, Hasan, Rezaul (NSN - US/Arlington Heights) wrote:
Hello All,
We have openssl 0.9.8r on our Linux Server. Application thats used is
httpd.
A Nessus security scan on our Linux server tells us that we may be
vulnerable to a potential DOS due to SSL/TLS Renegotiation
Vulnerability [CVE-2011-1473].
The suggestions of mitigating these (we believe) are:
1. Disable Re-Negotiation completely. {We CANNOT use this choice,
because our system does need to allow Re-Negotiation in some cases. So
NOT an option for us}
2. "Rate-Limit" Re-Negotiations.
Can someone please provide detailed information/guidance about exactly
how to go about "Rate-Limiting" Re-Negotiation requests on the Linux
Server? Pointing to a detailed article would also be helpful.
Thanks a bunch in advance.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org