[exim] Client-initiated renegotiation

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
Jeremy Harris at ->
Delete this message
Reply to this message
Author: jmedard
Date:  
To: exim-users
Subject: [exim] Client-initiated renegotiation
Hello,



Unlike other OpenSSL options provided on Exim via "openssl_options", it is
not possible for the moment to set the current option on OpenSSL 1.1.1:
"-no_renegotiation" (SSL_OP_NO_NO_RENEGOTIATION) in order to avoid the
possibility of DDOS on "Client-initiated renegotiation". That's a real
shame.



Client-initiated renegotiation is not recommended as it opens a server to
DoS attacks inside a TLS connection (like TLS 1.2 Essentially). It should
therefore be disabled. See the "IT Security Guidelines for TLS" for more
information:
https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-g
uidelines-for-transport-layer-security-tls.



Do you know how I could force this option directly on OpenSSL? Like an
openssl.cfg configuration !



Regards

JME

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] conditional email forwards to another hostRe: [exim] Determining smarthoust address from message->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)