|
Resending this hoping for a response from someone who has information on disabling TLS renegotiation from the Client side.
Thanks,
Sashank
From: samullap <samullap@xxxxxxxxx>
Date: Tuesday, 22 November 2016 at 12:21 PM To: "openssl-users@xxxxxxxxxxx" <openssl-users@xxxxxxxxxxx> Cc: "Ram Mohan R (rmohanr)" <rmohanr@xxxxxxxxx>, "Anil Kumar (anilkum)" <anilkum@xxxxxxxxx>, "Nikhil Mittal (nimittal)" <nimittal@xxxxxxxxx> Subject: Disabling Client-Initiated TLS renegotiation Hi,
As part of securing our web interfaces, we wanted to disable client-initiated TLS renegotiation.
The reasoning for this requirement is as follows- Generally,
renegotiation of TLS sessions is much more resource-intensive for the server than the client, and should therefore not be performed at will to avoid degrading performance. Disabling client from renegotiating secures the server from undergoing a DoS attack
due to continuous renegotiation requests.
I see that there is an option SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION,
but that is to secure the renegotiation, not disable it.
I wanted to check if there is a patch or flag available to disable any
negotiation initiated from the client side.
Thanks and Regards,
Sashank
|
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
