CVSROOT: /cvs
Module name: src
Changes by: r...@cvs.openbsd.org 2017/02/02 01:24:16
Modified files:
usr.sbin/relayd: relay.c relayd.conf.5 relayd.h
Log message:
Disable client-initiated TLS renegotiation by default.
It is rarely needed and imposes a light DoS risk. LibreSSL's libssl
allows to turn it off with a simple SSL_OP_NO_CLIENT_RENEGOTIATION
option instead of the complicated implementation that was used before.
It now turns it off completely instead of allowing one initial
client-initiated renegotiation.
It can still be enabled with "tls client-renegotiation".
ok benno@ beck@ jsing@
