httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: SSL related DoS
Date Sun, 17 Apr 2011 12:41:11 GMT
On Sat, Apr 16, 2011 at 3:39 PM, Daniel Ruggeri <DRuggeri@primary.net> wrote:
> On 4/16/2011 11:52 AM, Chris Hill wrote:
>>
>> Dear Apache httpd dev list,
>> ...
>> The reason why I insist in this is that the world has come to depend on
>> HTTP/SOAP over SSL (and Apache/OpenSSL are probably the most popular
>> implementation) for business critical apps, yet, it is not clear how
>> these businesses can play around with configuration parameters to fine
>> tune these SSL settings to their specific needs, e.g. *ensure client
>> side renegs can be disabled* or at least,*provide a way of limiting how
>> many of these a client initiated re-negotiations (or initial handshakes)
>> a server will allow per second for a specific connection/IP*. It is
>> great that recent Apache builds disable client initiated renegotiation
>> by default, but how can I ensure this will never be turned back on in
>> future releases given the lack of configuration parameters?
>>
>
> Chris;
>   I believe this topic (enable/disable renegotiation) was brought up on this
> list just a matter of days ago. I don't recall seeing a consensus, but I
> would agree that a configuration parameter to (dis)allow client-initiated
> renegotiation would be a Very Good Thing. I don't think this would be very
> difficult to implement - and would be a good start to correct the issues you
> call out.

I thought client-initiated renegotiation was already disabled out of
the box, with no configuration mechanism to re-enable.

>From ssl_engine_kernel.c, 2.2.x-latest:

    /* If the first handshake is complete, change state to reject any
     * subsequent client-initated renegotiation. */
    else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state ==
RENEG_INIT) {
        scr->reneg_state = RENEG_REJECT;
    }

Mime
View raw message