Hi Kevin, > Le 26 juil. 2017 à 18:39, Kevin McArthur <ke...@stormtide.ca> a écrit : > > Interesting. I'd probably recommend not pushing this patch out then until > this can be fixed as it will be trivial to resource-exploit a haproxy > instance that is exhibiting a client-controlled retry. A quick try with a > script that generates randomized SNI names shows I can open connmax and crash > the haproxy from a single instance pretty readily. > > If there's other errors that the client can control that lead to a retry like > this, they're probably worthy of a CVE. > > It takes approximately 5s per connection to clear the connection in this > condition. > > I'll see if retries 0 will work for our use case, but I'd hate to think we'd > have to give up non-client-controlled retry support entirely (ie for a > backend apache restart, retry to another app server...) due to this. > > —
Yon can add ‘strict-sni’ on bind line to reject all requests with an unknown sni. Manu
