[exim] Client-initiated renegotiation

Góra strony
Delete this message
Reply to this message
Autor: jmedard
Data:  
Dla: exim-users
Temat: [exim] Client-initiated renegotiation
Hello,



Unlike other OpenSSL options provided on Exim via "openssl_options", it is
not possible for the moment to set the current option on OpenSSL 1.1.1:
"-no_renegotiation" (SSL_OP_NO_NO_RENEGOTIATION) in order to avoid the
possibility of DDOS on "Client-initiated renegotiation". That's a real
shame.



Client-initiated renegotiation is not recommended as it opens a server to
DoS attacks inside a TLS connection (like TLS 1.2 Essentially). It should
therefore be disabled. See the "IT Security Guidelines for TLS" for more
information:
https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-g
uidelines-for-transport-layer-security-tls.



Do you know how I could force this option directly on OpenSSL? Like an
openssl.cfg configuration !



Regards

JME