Re: Banning TLS renegotiation

To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: nbd@other.debian.org
Subject: Re: Banning TLS renegotiation
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Tue, 3 Oct 2017 14:59:31 +0100
Message-id: <[🔎] 20171003135930.GJ4365@redhat.com>
In-reply-to: <[🔎] 20171003134855.GH4904@redhat.com>
References: <[🔎] 20171003103256.GA23085@redhat.com> <[🔎] 20171003110836.GE4904@redhat.com> <[🔎] 20171003112132.GH4365@redhat.com> <[🔎] 20171003134855.GH4904@redhat.com>

On Tue, Oct 03, 2017 at 02:48:55PM +0100, Daniel P. Berrange wrote:
> I would say
> 
>   "a peer  SHOULD follow the TLS protocol spec for accepting
>    or rejecting a renegotiation, but MAY close the connection
>    abruptly"

How about this extension of the above:

  "A peer SHOULD follow the TLS protocol spec for accepting
  or rejecting a renegotiation, but MAY close the connection
  abruptly.  If the peer accepts renegotiation then it MUST
  follow RFC5746, and it MAY limit the number of times per
  connection that renegotiations are permitted in order to
  prevent a possible Denial of Service attack."

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top

Reply to:

Follow-Ups:
- Re: Banning TLS renegotiation
  - From: "Daniel P. Berrange" <berrange@redhat.com>
- Re: Banning TLS renegotiation
  - From: Wouter Verhelst <w@uter.be>

References:
- Banning TLS renegotiation
  - From: "Richard W.M. Jones" <rjones@redhat.com>
- Re: Banning TLS renegotiation
  - From: "Daniel P. Berrange" <berrange@redhat.com>
- Re: Banning TLS renegotiation
  - From: "Richard W.M. Jones" <rjones@redhat.com>
- Re: Banning TLS renegotiation
  - From: "Daniel P. Berrange" <berrange@redhat.com>

Prev by Date: Re: Banning TLS renegotiation
Next by Date: Re: Banning TLS renegotiation
Previous by thread: Re: Banning TLS renegotiation
Next by thread: Re: Banning TLS renegotiation
Index(es):
- Date
- Thread