Hi Tomas and All, >>> On 1/16/2012 at 11:31 PM, in message <20120116163148.4f325...@redhat.com>, Tomas Hoger <tho...@redhat.com> wrote: > On Wed, 11 Jan 2012 21:04:33 -0700 Guan Jun He wrote: > >> > It seems you're trying to address more than just CVE-2011-1473 via >> > this patch, which results in a fairly large patch. Why do you need >> > to track client IP at all? This issue is about client's ability to >> > do unlimited number of renegotiations within single connection. To >> > limit that (either to a maximum total, or rate limiting), you >> > should not really need to care about client's IP. >> >> If do not care about client's IP, then the rate limiting is aimless, >> that means all legitimate ssl requests will be blocked, and cause >> another 'DoS'. > > The issue is about renegotiations. If the fix allows all initial > handshakes and only penalizes all connections that do many rehanshakes, > there's no DoS as you suggest and should be sufficient to address > CVE-2011-1473.
Actually,the patch is based on the ssl protocol's "client hello", initial handshakes and rehanshakes both use this, so the patch does not differ them, find one "client hello" just increase the counter. So, it can fix both 'initial handshakes DoS' and 'rehanshakes DoS'. thanks, Guanjun ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
