[
https://issues.apache.org/jira/browse/DIRMINA-939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13612414#comment-13612414
]
Emmanuel Lecharny commented on DIRMINA-939:
-------------------------------------------
The flag could be useful for those who don't care to support SSL Renegociation,
but care about the DDOS. SSL Renegociation is not something mandatory in most
of the cases anyway. I'd rather let's the developer to have th eoptio of
completely disable it.
The counter would be just used to check that a SSLRenegociation does not occur
many times in a few period of time. It won't protect the server against a DDOS
where many different clients try to do a SSL Renegociation at the same time,
but at least, it makes it slightly more difficult for an attacker to DDOS the
server.
We should also consider that a site con be protected against such attack with
the help of higher level systems (firewall, etc).
> SSL Renegotiation DOS
> ---------------------
>
> Key: DIRMINA-939
> URL: https://issues.apache.org/jira/browse/DIRMINA-939
> Project: MINA
> Issue Type: Bug
> Components: Core
> Reporter: Yannick Lecaillez
> Attachments: mina-core.patch
>
>
> More information:
> http://www.ietf.org/mail-archive/web/tls/current/msg07553.html
> SSLFilter is subject to this issue since it allows client renegotiation.
> Test: http://blog.ivanristic.com/2009/12/testing-for-ssl-renegotiation.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
