[stunnel-users] SSL renegotiation patch

• Previous message (by thread): [stunnel-users] SSL renegotiation patch
• Next message (by thread): [stunnel-users] SSL renegotiation patch
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2012/8/5 Michal Trojnara <Michal.Trojnara at mirt.net>:
> On 2012-08-03 17:53, Janusz Dziemidowicz wrote:
>
> I'm not sure what I'am supposed to do with the licensing. From my point of
> view I can release it as public domain (whatever that requires).
>
>
> Thank you.  I can reconsider your patch if you declare you patch public
> domain.

Then I declare that the SSL renegotiation stunnel patch, attached to
the beginning of this thread, is hereby released into the public
domain, with no rights reserved.

> In the mean time these links may be interesting to you:
>
> http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
> ftp://ftp.stunnel.org/sslsqueeze/

Nice idea with iptables magic. However, as the author points,
bypassing it should be quite simple (splitting SSL handshake across
packet boundary should be even simpler than IP fragmentation). People
usually are caught off-hand with DoS attacks, and disabling
renegotiation with TCP rate limiting is a much cleaner solution (but
obviously not perfect).

-- 
Janusz Dziemidowicz

• Previous message (by thread): [stunnel-users] SSL renegotiation patch
• Next message (by thread): [stunnel-users] SSL renegotiation patch
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]