Re: Banning TLS renegotiation
On Tue, Oct 03, 2017 at 02:59:31PM +0100, Richard W.M. Jones wrote:
> On Tue, Oct 03, 2017 at 02:48:55PM +0100, Daniel P. Berrange wrote:
> > I would say
> >
> > "a peer SHOULD follow the TLS protocol spec for accepting
> > or rejecting a renegotiation, but MAY close the connection
> > abruptly"
>
> How about this extension of the above:
>
> "A peer SHOULD follow the TLS protocol spec for accepting
> or rejecting a renegotiation, but MAY close the connection
> abruptly. If the peer accepts renegotiation then it MUST
> follow RFC5746, and it MAY limit the number of times per
> connection that renegotiations are permitted in order to
> prevent a possible Denial of Service attack."
That's fine with me.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Reply to: