2012/8/2 Michal Trojnara Michal.Trojnara@mirt.net:
On 2012-08-02 21:01, Janusz Dziemidowicz wrote:
I was kinda hoping for some feedback and maybe inclusion of the patch in the next stunnel release;) Or should I send it elsewhere?
I have uploaded your patch to: ftp://ftp.stunnel.org/stunnel/contrib/stunnel-4.54b4-renegotiation.diff
There are two reasons your patch won't be included in stunnel:
- I refuse to include workarounds for issues (to be) fixed in OpenSSL.
Using an outdated OpenSSL is a very bad idea. 2. Licensing: http://www.stunnel.org/pipermail/stunnel-announce/2011-January/000050.html
Thanks for your feedback. However, the first point is not what this patch is about. The main reason for this patch was to make DoS attacks, using renegotiation, on SSL services harder (as is explained in provided link). Renegotiation support has nothing to do with OpenSSL and is a feature of SSL/TLS protocol itself (it really doesn't matter what kind of renegotiation is used, insecure or secure). Renegotiation is used sometimes (it is present in SSL/TLS for a reason), but in many cases it is completely unnecessary (HTTP doesn't need this), so this patch makes it possible to disable it. It is not about insecure renegotiation flaw (but it can prevent this too, as a side effect, hence my note about this).
I'm not sure what I'am supposed to do with the licensing. From my point of view I can release it as public domain (whatever that requires).