[squid-dev] [PATCH] Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.
Christos Tsantilas
christos at chtsanti.net
Sun Jan 22 12:03:06 UTC 2017
There is a well-known DoS attack using client-initiated SSL/TLS
renegotiation. The severity or uniqueness of this attack method is
disputed, but many believe it is serious/real.
There is even a (disputed) CVE 2011-1473:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473
The old Squid code tried to disable client-initiated renegotiation, but
it did not work reliably (or at all), depending on Squid version, due to
OpenSSL API changes and conflicting SslBump callbacks. That code is now
removed and client-initiated renegotiations are allowed.
With this change, Squid aborts the TLS connection, with a level-1 ERROR
message if the rate of client-initiated renegotiate requests exceeds 5
requests in 10 seconds (approximately). This protection and the rate
limit are currently hard-coded but the rate is not expected to be
exceeded under normal circumstances.
This is a Measurement Factory project
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-266-DoS-using-client-initiated-renegotiation-t2.patch
Type: text/x-patch
Size: 14282 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20170122/43b24630/attachment.bin>
More information about the squid-dev
mailing list