Hello,
Add a switch to renegotiation, so that renegotiation can be controled by
program.
And it provides a way to programmer to implement some sort of custom throttling.
Basically, this patch is produced with the background of CVE-2011-1473,
the DoS against renegotiation.You guys must have known it.Maybe the patch is
not that
useful for some use cases.But, it's the first step, and it gives apps a easy
choise
to fight against DoS.
And, maybe the second steps can also be done in openssl, add a simple monitor
to monitor
client initiatd renegotiations(for each session or just globally), and
according to the
monitoring result to set the renegotiation switch for a time slice.the monitor
can be
as simple as just a counter,I'm still seeking an efficient way to do this.And
ask for
comments and advices from you guys.
Regards,
Guanjun
diff -Nupr openssl.orig//ssl/t1_lib.c openssl//ssl/t1_lib.c
--- openssl.orig//ssl/t1_lib.c 2011-11-15 16:52:13.000000000 +0800
+++ openssl//ssl/t1_lib.c 2011-11-15 17:00:53.000000000 +0800
@@ -1052,6 +1052,10 @@ int ssl_parse_clienthello_tlsext(SSL *s,
}
else if (type == TLSEXT_TYPE_renegotiate)
{
+ if (getenv("OPENSSL_NO_RENEGOTIATION") != NULL)
+ {
+ return 0;
+ }
if(!ssl_parse_clienthello_renegotiate_ext(s, data,
size, al))
return 0;
renegotiate_seen = 1;
