Re: Banning TLS renegotiation
On Tue, Oct 03, 2017 at 02:48:55PM +0100, Daniel P. Berrange wrote:
> I would say
>
> "a peer SHOULD follow the TLS protocol spec for accepting
> or rejecting a renegotiation, but MAY close the connection
> abruptly"
How about this extension of the above:
"A peer SHOULD follow the TLS protocol spec for accepting
or rejecting a renegotiation, but MAY close the connection
abruptly. If the peer accepts renegotiation then it MUST
follow RFC5746, and it MAY limit the number of times per
connection that renegotiations are permitted in order to
prevent a possible Denial of Service attack."
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
Reply to: