[stunnel-users] SSL renegotiation patch
Janusz Dziemidowicz
rraptorr at nails.eu.org
Wed Jun 27 23:42:46 CEST 2012
Hi,
since I couldn't find a better place I'm sending a simple patch that
allows to disable SSL renegotiation here. Possible reasons for this:
- famous renegotiation SSL flaw, patched in OpenSSL a long time ago,
but not everyone can or want to upgrade OpenSSL
- renegotiation makes some DoS attacks much easier (see
http://www.thc.org/thc-ssl-dos/), regardless of it being a secure one
or not
- it is really not needed in many cases
The approach is based on what is being done in Apache. The default is
to allow renegotation, so there should be no surprises for anyone
after upgrade. Patch applies on latest (4.54b4) stunnel beta. Feel
free to comment:)
--
Janusz Dziemidowicz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel-4.54b4-renegotiation.diff
Type: application/octet-stream
Size: 5112 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120627/c09256f2/attachment.obj>
More information about the stunnel-users
mailing list