Hello,
Unlike other OpenSSL options provided on Exim via "openssl_options", it is
not possible for the moment to set the current option on OpenSSL 1.1.1:
"-no_renegotiation" (SSL_OP_NO_NO_RENEGOTIATION) in order to avoid the
possibility of DDOS on "Client-initiated renegotiation". That's a real
shame.
Client-initiated renegotiation is not recommended as it opens a server to
DoS attacks inside a TLS connection (like TLS 1.2 Essentially). It should
therefore be disabled. See the "IT Security Guidelines for TLS" for more
information:
https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-g
uidelines-for-transport-layer-security-tls.
Do you know how I could force this option directly on OpenSSL? Like an
openssl.cfg configuration !
Regards
JME