[squid-dev] [PATCH] Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.
Amos Jeffries
squid3 at treenet.co.nz
Mon Jan 23 13:52:32 UTC 2017
On 23/01/2017 11:04 p.m., Christos Tsantilas wrote:
> On 22/01/2017 07:11 μμ, Amos Jeffries wrote:
>> On 23/01/2017 1:03 a.m., Christos Tsantilas wrote:
>>>
>>> There is a well-known DoS attack using client-initiated SSL/TLS
>>> renegotiation. The severity or uniqueness of this attack method is
>>> disputed, but many believe it is serious/real.
>>> There is even a (disputed) CVE 2011-1473:
>>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473
>>>
>>> The old Squid code tried to disable client-initiated renegotiation, but
>>> it did not work reliably (or at all), depending on Squid version, due to
>>> OpenSSL API changes and conflicting SslBump callbacks. That code is now
>>> removed and client-initiated renegotiations are allowed.
>>>
>>> With this change, Squid aborts the TLS connection, with a level-1 ERROR
>>> message if the rate of client-initiated renegotiate requests exceeds 5
>>> requests in 10 seconds (approximately). This protection and the rate
>>> limit are currently hard-coded but the rate is not expected to be
>>> exceeded under normal circumstances.
>>>
>>> This is a Measurement Factory project
>>>
>>
+1.
Amos
More information about the squid-dev
mailing list