On 15.11.21 21:50, Stoiko Ivanov wrote: > The issue is probably not critical and best addressed by not running > the perl API servers in an exposed environment or when this needs to > be done by installing a reverse proxy in front of them. > > The DOS potential of the perl daemons is limited more by the limited > number of parallel workers (and the memory constraints of starting > more of them), than by the CPU cycles wasted on TLS renegotiation. > > Still disabling TLS renegotiation should show very little downside: > * it was removed in TLS 1.3 for security reasons > * it was the way nginx addressed this issue [1]. > * we do not use client certificate authentication > > Tested by running `openssl s_client -no_tls1_3 -connect 192.0.2.1:8006` > and issuing a `HEAD / HTTP/1.1\nR\n` > with and without the patch. > > [1] 70bd187c4c386d82d6e4d180e0db84f361d1be02 at > https://github.com/nginx/nginx (although that code adapted to > the various changes in openssl API over the years) > Signed-off-by: Stoiko Ivanov <[email protected]> > --- > src/PVE/APIServer/AnyEvent.pm | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > >
applied, thanks! _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
