[stunnel-users] SSL renegotiation patch

Janusz Dziemidowicz rraptorr at nails.eu.org
Tue Aug 7 23:28:48 CEST 2012

2012/8/5 Michal Trojnara <Michal.Trojnara at mirt.net>:
> On 2012-08-03 17:53, Janusz Dziemidowicz wrote:
> I'm not sure what I'am supposed to do with the licensing. From my point of
> view I can release it as public domain (whatever that requires).
> Thank you.  I can reconsider your patch if you declare you patch public
> domain.

Then I declare that the SSL renegotiation stunnel patch, attached to
the beginning of this thread, is hereby released into the public
domain, with no rights reserved.

> In the mean time these links may be interesting to you:
> http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
> ftp://ftp.stunnel.org/sslsqueeze/

Nice idea with iptables magic. However, as the author points,
bypassing it should be quite simple (splitting SSL handshake across
packet boundary should be even simpler than IP fragmentation). People
usually are caught off-hand with DoS attacks, and disabling
renegotiation with TCP rate limiting is a much cleaner solution (but
obviously not perfect).

Janusz Dziemidowicz

More information about the stunnel-users mailing list