[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Banning TLS renegotiation

On Tue, Oct 03, 2017 at 02:59:31PM +0100, Richard W.M. Jones wrote:
> On Tue, Oct 03, 2017 at 02:48:55PM +0100, Daniel P. Berrange wrote:
> > I would say
> > 
> >   "a peer  SHOULD follow the TLS protocol spec for accepting
> >    or rejecting a renegotiation, but MAY close the connection
> >    abruptly"
> 
> How about this extension of the above:
> 
>   "A peer SHOULD follow the TLS protocol spec for accepting
>   or rejecting a renegotiation, but MAY close the connection
>   abruptly.  If the peer accepts renegotiation then it MUST
>   follow RFC5746, and it MAY limit the number of times per
>   connection that renegotiations are permitted in order to
>   prevent a possible Denial of Service attack."

That's fine with me.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
Reply to: