[stunnel-users] SSL renegotiation patch

Janusz Dziemidowicz rraptorr at nails.eu.org
Fri Aug 3 17:53:38 CEST 2012


2012/8/2 Michal Trojnara <Michal.Trojnara at mirt.net>:
> On 2012-08-02 21:01, Janusz Dziemidowicz wrote:
>>
>> I was kinda hoping for some feedback and maybe inclusion of the patch in
>> the next stunnel release;) Or should I send it elsewhere?
>
>
> I have uploaded your patch to:
> ftp://ftp.stunnel.org/stunnel/contrib/stunnel-4.54b4-renegotiation.diff
>
> There are two reasons your patch won't be included in stunnel:
> 1. I refuse to include workarounds for issues (to be) fixed in OpenSSL.
> Using an outdated OpenSSL is a very bad idea.
> 2. Licensing:
> http://www.stunnel.org/pipermail/stunnel-announce/2011-January/000050.html

Thanks for your feedback. However, the first point is not what this
patch is about. The main reason for this patch was to make DoS
attacks, using renegotiation, on SSL services harder (as is explained
in provided link). Renegotiation support has nothing to do with
OpenSSL and is a feature of SSL/TLS protocol itself (it really doesn't
matter what kind of renegotiation is used, insecure or secure).
Renegotiation is used sometimes (it is present in SSL/TLS for a
reason), but in many cases it is completely unnecessary (HTTP doesn't
need this), so this patch makes it possible to disable it.
It is not about insecure renegotiation flaw (but it can prevent this
too, as a side effect, hence my note about this).

I'm not sure what I'am supposed to do with the licensing. From my
point of view I can release it as public domain (whatever that
requires).

-- 
Janusz Dziemidowicz



More information about the stunnel-users mailing list