[
https://issues.apache.org/jira/browse/DIRMINA-939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13612748#comment-13612748
]
Emmanuel Lecharny commented on DIRMINA-939:
-------------------------------------------
Yannick is correct. Both issues are related, but disconnected.
The fix was for the MITM attack, it does not fix the DDOS.
The thing is that anyone that can connect and establish a SSL session can start
a renegotiation, which can potentially kill the server. However, the pb is
already existing with the initial handshake, if the client just establish the
SSL session but does nothing with it.
This is a pretty interesting analysis of the problem and the possible fixes
(well... sort of).
Base line, it says that there is little we can do.
> SSL Renegotiation DOS
> ---------------------
>
> Key: DIRMINA-939
> URL: https://issues.apache.org/jira/browse/DIRMINA-939
> Project: MINA
> Issue Type: Bug
> Components: Core
> Reporter: Yannick Lecaillez
> Attachments: mina-core.patch
>
>
> More information:
> http://www.ietf.org/mail-archive/web/tls/current/msg07553.html
> SSLFilter is subject to this issue since it allows client renegotiation.
> Test: http://blog.ivanristic.com/2009/12/testing-for-ssl-renegotiation.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
