[squid-dev] [PATCH] Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.

[Christos Tsantilas]

The patches r15016 and r15017 requires to allow make check/distcheck 
work in some platoforms.

I am attaching a new patch for squid-3.5.

On 24/01/2017 02:55 μμ, Christos Tsantilas wrote:
> The t3 patch applied to squid-5 as r15014
>
> I am also attaching the patch for squid-3.5.
>
> On 23/01/2017 03:52 μμ, Amos Jeffries wrote:
>> On 23/01/2017 11:04 p.m., Christos Tsantilas wrote:
>>> On 22/01/2017 07:11 μμ, Amos Jeffries wrote:
>>>> On 23/01/2017 1:03 a.m., Christos Tsantilas wrote:
>>>>>
>>>>> There is a well-known DoS attack using client-initiated SSL/TLS
>>>>> renegotiation. The severity or uniqueness of this attack method is
>>>>> disputed, but many believe it is serious/real.
>>>>> There is even a (disputed) CVE 2011-1473:
>>>>>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473
>>>>>
>>>>> The old Squid code tried to disable client-initiated renegotiation,
>>>>> but
>>>>> it did not work reliably (or at all), depending on Squid version,
>>>>> due to
>>>>> OpenSSL API changes and conflicting SslBump callbacks. That code is
>>>>> now
>>>>> removed and client-initiated renegotiations are allowed.
>>>>>
>>>>> With this change, Squid aborts the TLS connection, with a level-1
>>>>> ERROR
>>>>> message if the rate of client-initiated renegotiate requests
>>>>> exceeds  5
>>>>> requests in 10 seconds (approximately). This protection and the rate
>>>>> limit are currently hard-coded but the rate is not expected to be
>>>>> exceeded under normal circumstances.
>>>>>
>>>>> This is a Measurement Factory project
>>>>>
>>>>
>>
>> +1.
>>
>> Amos
>>
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-266-DoS-using-client-initiated-renegotiation-squid-3.5-t4.patch
Type: text/x-patch
Size: 16407 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20170125/0876ceb9/attachment-0001.bin>