[squid-dev] [PATCH] Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.

Christos Tsantilas christos at chtsanti.net
Tue Jan 24 12:55:46 UTC 2017


The t3 patch applied to squid-5 as r15014

I am also attaching the patch for squid-3.5.

On 23/01/2017 03:52 μμ, Amos Jeffries wrote:
> On 23/01/2017 11:04 p.m., Christos Tsantilas wrote:
>> On 22/01/2017 07:11 μμ, Amos Jeffries wrote:
>>> On 23/01/2017 1:03 a.m., Christos Tsantilas wrote:
>>>>
>>>> There is a well-known DoS attack using client-initiated SSL/TLS
>>>> renegotiation. The severity or uniqueness of this attack method is
>>>> disputed, but many believe it is serious/real.
>>>> There is even a (disputed) CVE 2011-1473:
>>>>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473
>>>>
>>>> The old Squid code tried to disable client-initiated renegotiation, but
>>>> it did not work reliably (or at all), depending on Squid version, due to
>>>> OpenSSL API changes and conflicting SslBump callbacks. That code is now
>>>> removed and client-initiated renegotiations are allowed.
>>>>
>>>> With this change, Squid aborts the TLS connection, with a level-1 ERROR
>>>> message if the rate of client-initiated renegotiate requests exceeds  5
>>>> requests in 10 seconds (approximately). This protection and the rate
>>>> limit are currently hard-coded but the rate is not expected to be
>>>> exceeded under normal circumstances.
>>>>
>>>> This is a Measurement Factory project
>>>>
>>>
>
> +1.
>
> Amos
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-266-DoS-using-client-initiated-renegotiation-squid-3.5-t3.patch
Type: text/x-patch
Size: 13857 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20170124/c141db16/attachment.bin>


More information about the squid-dev mailing list