[stunnel-users] SSL renegotiation patch

Janusz Dziemidowicz rraptorr at nails.eu.org
Wed Jun 27 23:42:46 CEST 2012


Hi,
since I couldn't find a better place I'm sending a simple patch that
allows to disable SSL renegotiation here. Possible reasons for this:
- famous renegotiation SSL flaw, patched in OpenSSL a long time ago,
but not everyone can or want to upgrade OpenSSL
- renegotiation makes some DoS attacks much easier (see
http://www.thc.org/thc-ssl-dos/), regardless of it being a secure one
or not
- it is really not needed in many cases

The approach is based on what is being done in Apache. The default is
to allow renegotation, so there should be no surprises for anyone
after upgrade. Patch applies on latest (4.54b4) stunnel beta. Feel
free to comment:)

-- 
Janusz Dziemidowicz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel-4.54b4-renegotiation.diff
Type: application/octet-stream
Size: 5112 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120627/c09256f2/attachment.obj>


More information about the stunnel-users mailing list