2012/8/5 Michal Trojnara Michal.Trojnara@mirt.net:
On 2012-08-03 17:53, Janusz Dziemidowicz wrote:
I'm not sure what I'am supposed to do with the licensing. From my point of view I can release it as public domain (whatever that requires).
Thank you. I can reconsider your patch if you declare you patch public domain.
Then I declare that the SSL renegotiation stunnel patch, attached to the beginning of this thread, is hereby released into the public domain, with no rights reserved.
In the mean time these links may be interesting to you:
http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html ftp://ftp.stunnel.org/sslsqueeze/
Nice idea with iptables magic. However, as the author points, bypassing it should be quite simple (splitting SSL handshake across packet boundary should be even simpler than IP fragmentation). People usually are caught off-hand with DoS attacks, and disabling renegotiation with TCP rate limiting is a much cleaner solution (but obviously not perfect).