git.ipfire.org Git - thirdparty/squid.git/commit

Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.

There is a well-known DoS attack using client-initiated SSL/TLS
renegotiation. The severety or uniqueness of this attack method
is disputed, but many believe it is serious/real.
There is even a (disputed) CVE 2011-1473:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473

The old Squid code tried to disable client-initiated renegotiation, but
it did not work reliably (or at all), depending on Squid version, due
to OpenSSL API changes and conflicting SslBump callbacks. That
code is now removed and client-initiated renegotiations are allowed.

With this change, Squid aborts the TLS connection, with a level-1 ERROR
message if the rate of client-initiated renegotiate requests exceeds
5 requests in 10 seconds (approximately). This protection and the rate
limit are currently hard-coded but the rate is not expected to be
exceeded under normal circumstances.

This is a Measurement Factory project.

author	Christos Tsantilas <chtsanti@users.sourceforge.net>
	Tue, 24 Jan 2017 12:09:25 +0000 (14:09 +0200)
committer	Christos Tsantilas <chtsanti@users.sourceforge.net>
	Tue, 24 Jan 2017 12:09:25 +0000 (14:09 +0200)
commit	edb876ab9348039f9c709703104b6836f08c6edf
tree	d122084c13e7eb7f53ba6bf2ca8d733c1a7e5d1c	tree \| snapshot
parent	922c2ced2c83c2ec12547b4ded0fe44cfa6c906c	commit \| diff

src/ssl/bio.cc		diff \| blob \| blame \| history
src/ssl/bio.h		diff \| blob \| blame \| history
src/ssl/support.cc		diff \| blob \| blame \| history