On Sun, 19 Feb 2012 18:44:24 -0700 Guan Jun He wrote: > >> > It seems you're trying to address more than just CVE-2011-1473 > >> > via this patch, which results in a fairly large patch. Why do > >> > you need to track client IP at all? This issue is about > >> > client's ability to do unlimited number of renegotiations within > >> > single connection. To limit that (either to a maximum total, or > >> > rate limiting), you should not really need to care about > >> > client's IP. > >> > >> If do not care about client's IP, then the rate limiting is > >> aimless, that means all legitimate ssl requests will be blocked, > >> and cause another 'DoS'. > > > > The issue is about renegotiations. If the fix allows all initial > > handshakes and only penalizes all connections that do many > > rehanshakes, there's no DoS as you suggest and should be sufficient > > to address CVE-2011-1473. > > Actually,the patch is based on the ssl protocol's "client hello", > initial handshakes and rehanshakes both use this, so the patch > does not differ them, find one "client hello" just increase the > counter. So, it can fix both 'initial handshakes DoS' and > 'rehanshakes DoS'.
Yes, I understand what you're trying to do with your patch. I was only suggesting that extra checks you do on top of what CVE-2011-1473 is about result it in a bigger (read: apparently less likely to be accepted) patch. But again, I can't speak for openssl team, just offering my 2c. th. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
