Re: [stunnel-users] SSL renegotiation patch

2012/6/27 Janusz Dziemidowicz rraptorr@nails.eu.org:

Hi, since I couldn't find a better place I'm sending a simple patch that allows to disable SSL renegotiation here. Possible reasons for this:

• famous renegotiation SSL flaw, patched in OpenSSL a long time ago,

but not everyone can or want to upgrade OpenSSL

• renegotiation makes some DoS attacks much easier (see

http://www.thc.org/thc-ssl-dos/), regardless of it being a secure one or not

• it is really not needed in many cases

The approach is based on what is being done in Apache. The default is to allow renegotation, so there should be no surprises for anyone after upgrade. Patch applies on latest (4.54b4) stunnel beta. Feel free to comment:)

I was kinda hoping for some feedback and maybe inclusion of the patch in the next stunnel release;) Or should I send it elsewhere?