From d64df821d97630f938a04682bf6cbc1bc6c9d5f7 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Fri, 6 Dec 2024 11:28:02 -0500 Subject: [PATCH] Add a warning that disabling server validation is not recommended MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Reviewed-by: Saša Nedvědický Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/26114) --- doc/man3/SSL_new_listener.pod | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/man3/SSL_new_listener.pod b/doc/man3/SSL_new_listener.pod index e8c41fa66be..01fd2fca85e 100644 --- a/doc/man3/SSL_new_listener.pod +++ b/doc/man3/SSL_new_listener.pod @@ -168,7 +168,11 @@ B may be passed in the flags field of both SSL_new_listener() and SSL_new_listener_from(). Note that this flag only impacts the sending of retry frames for server address validation. Tokens may still be communicated from the server via NEW_TOKEN frames, which will still -be validated on receipt in future connections. +be validated on receipt in future connections. Note that this setting is not +recommended and may be dangerous in untrusted environments. Not performing +address validation exposes the server to malicious clients that may open large +numbers of connections and never transact data on them (roughly equivalent to +a TCP syn flood attack), which address validation mitigates. The SSL_new_from_listener() creates a client connection under a given listener SSL object. For QUIC, it is also possible to use SSL_new_from_listener() in -- 2.47.2