On 23/01/2017 11:04 p.m., Christos Tsantilas wrote: > On 22/01/2017 07:11 μμ, Amos Jeffries wrote: >> On 23/01/2017 1:03 a.m., Christos Tsantilas wrote: >>> >>> There is a well-known DoS attack using client-initiated SSL/TLS >>> renegotiation. The severity or uniqueness of this attack method is >>> disputed, but many believe it is serious/real. >>> There is even a (disputed) CVE 2011-1473: >>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473 >>> >>> The old Squid code tried to disable client-initiated renegotiation, but >>> it did not work reliably (or at all), depending on Squid version, due to >>> OpenSSL API changes and conflicting SslBump callbacks. That code is now >>> removed and client-initiated renegotiations are allowed. >>> >>> With this change, Squid aborts the TLS connection, with a level-1 ERROR >>> message if the rate of client-initiated renegotiate requests exceeds 5 >>> requests in 10 seconds (approximately). This protection and the rate >>> limit are currently hard-coded but the rate is not expected to be >>> exceeded under normal circumstances. >>> >>> This is a Measurement Factory project >>> >>
+1. Amos _______________________________________________ squid-dev mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-dev
