On Wed, Jul 11, 2018 at 10:04:30AM -0400, Viktor Dukhovni wrote:
> On Wed, Jul 11, 2018 at 03:27:05PM +0200, Viktor Schneider wrote:
>
> > While checking the SSL configuration of a Postfix server, I noticed that
> > so-called "Client-initiated secure renegotiation" is available at
> > Postfix by default.
> > You can verify it with following openssl command and press "R" once the
> > connection is successfully established:
>
> When you configure TLS handshake rate limits, they apply equally
> to new connections and renegotiation. If you don't configure TLS
> handshake rate limits, it is not clear why you'd want to restrict
> renegotiation, unless you're trying to use connection rate limits
> as a proxy for TLS rate limits.
It seems I misremebered, post-STARTTLS renegotiation is not subjected
to anvil rate limits. I'd need to find the right OpenSSL callback
to hook into the server processing of client TLS HELLO requests and
turn them down if the rate is too high. This is not presently
implemented.
--
Viktor.
