httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Hill <chris.hill...@gmail.com>
Subject Re: SSL related DoS
Date Sun, 17 Apr 2011 18:40:18 GMT
Yes, disabled by default now. My point was just make sure it did not come
back again, at least not without a config parameter to easily
disable/enable.

On Sun, Apr 17, 2011 at 8:41 AM, Jeff Trawick <trawick@gmail.com> wrote:

> On Sat, Apr 16, 2011 at 3:39 PM, Daniel Ruggeri <DRuggeri@primary.net>
> wrote:
> > On 4/16/2011 11:52 AM, Chris Hill wrote:
> >>
> >> Dear Apache httpd dev list,
> >> ...
> >> The reason why I insist in this is that the world has come to depend on
> >> HTTP/SOAP over SSL (and Apache/OpenSSL are probably the most popular
> >> implementation) for business critical apps, yet, it is not clear how
> >> these businesses can play around with configuration parameters to fine
> >> tune these SSL settings to their specific needs, e.g. *ensure client
> >> side renegs can be disabled* or at least,*provide a way of limiting how
> >> many of these a client initiated re-negotiations (or initial handshakes)
> >> a server will allow per second for a specific connection/IP*. It is
> >> great that recent Apache builds disable client initiated renegotiation
> >> by default, but how can I ensure this will never be turned back on in
> >> future releases given the lack of configuration parameters?
> >>
> >
> > Chris;
> >   I believe this topic (enable/disable renegotiation) was brought up on
> this
> > list just a matter of days ago. I don't recall seeing a consensus, but I
> > would agree that a configuration parameter to (dis)allow client-initiated
> > renegotiation would be a Very Good Thing. I don't think this would be
> very
> > difficult to implement - and would be a good start to correct the issues
> you
> > call out.
>
> I thought client-initiated renegotiation was already disabled out of
> the box, with no configuration mechanism to re-enable.
>
> From ssl_engine_kernel.c, 2.2.x-latest:
>
>    /* If the first handshake is complete, change state to reject any
>     * subsequent client-initated renegotiation. */
>    else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state ==
> RENEG_INIT) {
>        scr->reneg_state = RENEG_REJECT;
>    }
>

Mime
View raw message