Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[appserver-io/webserver] Fix DoS danger in secure client-initiated renegotiation of connections #892

Open
wick-ed opened this issue Aug 19, 2015 · 0 comments
Open

[appserver-io/webserver] Fix DoS danger in secure client-initiated renegotiation of connections #892

wick-ed opened this issue Aug 19, 2015 · 0 comments
Labels
enhancement evaluation security
Milestone
Release 1.2.0 "Ir...

Comments

@wick-ed
Copy link
Member

wick-ed commented Aug 19, 2015

The feature of a secure client-initiated renegotiation of TLS/SSL connections makes a server vulnerable to a certain kind of very effective (D)DoS attack.
@see https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks

Several testing tools (including https://www.ssllabs.com) do mention this as a possible danger.

UAC:

  • The risk of a DoS attack over the described vector MUST be minimized
  • The feature SHOULD not be removed in order to do so
  • The feature COULD be removed if absolutely necessary
@wick-ed wick-ed added this to the Release 1.2.0 "Iron ?" milestone Nov 24, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement evaluation security
Projects
None yet
Milestone
Release 1.2.0 "Iron Dragon"
Development

No branches or pull requests
1 participant
@wick-ed