Am Tue, 15 Nov 2011 02:48:28 -0700 schrieb "Guan Jun He" <[email protected]>:
> Add a switch to renegotiation, so that renegotiation can be > controled by program. And it provides a way to programmer to > implement some sort of custom throttling. Basically, this patch is > produced with the background of CVE-2011-1473, the DoS against > renegotiation.You guys must have known it.Maybe the patch is not that > useful for some use cases.But, it's the first step, and it gives apps > a easy choise to fight against DoS. And, maybe the second steps can > also be done in openssl, add a simple monitor to monitor client > initiatd renegotiations(for each session or just globally), and > according to the monitoring result to set the renegotiation switch > for a time slice.the monitor can be as simple as just a counter,I'm > still seeking an efficient way to do this.And ask for comments and > advices from you guys. If I understood the THC DoS, this is completely pointless. Their tool uses renegotiation, but there's absolutely nothing special about renegotiation, the attack works also with normal connections. See THC on this matter: "SSL-DOS released. Some organizations already found out about this release a while ago and mistakenly identified it as an SSL-RENEGOTIATION BUG. This is not true. The tool can be modified to work without SSL-RENEGOTIATION by just establishing a new TCP connection for every new handshake. " http://www.thc.org/thc-ssl-dos/ Also, there's been a lot of mixup with old and new renegotiation and wrong infos floating around. The THC DoS is not really related to that. It's not easy to find a clean way to mitigate those issues - the core problem is that a connection causes more load on the server than on the initiating client - changing that would be possible only in the TLS design. Connection limits can help (though they shouldn't be limited to renegotiation), but it's not really a nice solution. -- Hanno Böck mail/jabber: [email protected] GPG: BBB51E42 http://www.hboeck.de/
signature.asc
Description: PGP signature
