From: Neil Horman <nhorman@openssl.org>
Date: Fri, 6 Dec 2024 16:28:02 +0000 (-0500)
Subject: Add a warning that disabling server validation is not recommended
X-Git-Tag: openssl-3.5.0-alpha1~291
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b441d20a2fdcb6bd65bc98fca20def62221169c6;p=thirdparty%2Fopenssl.git

Add a warning that disabling server validation is not recommended

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26114)
---

diff --git a/doc/man3/SSL_new_listener.pod b/doc/man3/SSL_new_listener.pod
index e8c41fa66be..01fd2fca85e 100644
--- a/doc/man3/SSL_new_listener.pod
+++ b/doc/man3/SSL_new_listener.pod
@@ -168,7 +168,11 @@ B<SSL_LISTENER_FLAG_NO_VALIDATE> may be passed in the flags field of both
 SSL_new_listener() and SSL_new_listener_from().  Note that this flag only
 impacts the sending of retry frames for server address validation.  Tokens may
 still be communicated from the server via NEW_TOKEN frames, which will still
-be validated on receipt in future connections.
+be validated on receipt in future connections.  Note that this setting is not
+recommended and may be dangerous in untrusted environments.  Not performing
+address validation exposes the server to malicious clients that may open large
+numbers of connections and never transact data on them (roughly equivalent to
+a TCP syn flood attack), which address validation mitigates.
 
 The SSL_new_from_listener() creates a client connection under a given listener
 SSL object. For QUIC, it is also possible to use SSL_new_from_listener() in