[squid-dev] [PATCH] Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.

Christos Tsantilas christos at chtsanti.net
Sun Jan 22 12:03:06 UTC 2017


There is a well-known DoS attack using client-initiated SSL/TLS 
renegotiation. The severity or uniqueness of this attack method is 
disputed, but many believe it is serious/real.
There is even a (disputed) CVE 2011-1473:
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473

The old Squid code tried to disable client-initiated renegotiation, but 
it did not work reliably (or at all), depending on Squid version, due to 
OpenSSL API changes and conflicting SslBump callbacks. That code is now 
removed and client-initiated renegotiations are allowed.

With this change, Squid aborts the TLS connection, with a level-1 ERROR 
message if the rate of client-initiated renegotiate requests exceeds  5 
requests in 10 seconds (approximately). This protection and the rate 
limit are currently hard-coded but the rate is not expected to be 
exceeded under normal circumstances.

This is a Measurement Factory project
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-266-DoS-using-client-initiated-renegotiation-t2.patch
Type: text/x-patch
Size: 14282 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20170122/43b24630/attachment.bin>


More information about the squid-dev mailing list