Re: [TLS] SSL Renegotiation DOS

"Jorge A. Orchilles" <jorge@orchilles.com> Fri, 18 March 2011 23:03 UTC

Return-Path: <jorge@orchilles.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3AE6F3A6A7C for <tls@core3.amsl.com>; Fri, 18 Mar 2011 16:03:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.422
X-Spam-Level:
X-Spam-Status: No, score=-2.422 tagged_above=-999 required=5 tests=[AWL=0.554, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fd-9xutw+du0 for <tls@core3.amsl.com>; Fri, 18 Mar 2011 16:03:12 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 2C0EE3A6A6D for <tls@ietf.org>; Fri, 18 Mar 2011 16:03:11 -0700 (PDT)
Received: by fxm15 with SMTP id 15so4455559fxm.31 for <tls@ietf.org>; Fri, 18 Mar 2011 16:04:41 -0700 (PDT)
Received: by 10.223.110.38 with SMTP id l38mr1890326fap.116.1300489481372; Fri, 18 Mar 2011 16:04:41 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by mx.google.com with ESMTPS id n26sm1572636fam.13.2011.03.18.16.04.39 (version=SSLv3 cipher=OTHER); Fri, 18 Mar 2011 16:04:40 -0700 (PDT)
Received: by fxm15 with SMTP id 15so4455542fxm.31 for <tls@ietf.org>; Fri, 18 Mar 2011 16:04:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.6.11 with SMTP id 11mr1915701fax.93.1300489479212; Fri, 18 Mar 2011 16:04:39 -0700 (PDT)
Received: by 10.223.98.205 with HTTP; Fri, 18 Mar 2011 16:04:39 -0700 (PDT)
In-Reply-To: <0F7F9A82BB0DBB4396A9F8386D0E061206623016@pos-exch1.corp.positivenetworks.net>
References: <AANLkTin2i3+K8oV68pZFJ0xabjEugJLePyZTTaZSr0VE@mail.gmail.com> <AANLkTimVvBOdX9JNXE+JyZS5vTHsXnfhQMAH2cTgTRfM@mail.gmail.com> <0F7F9A82BB0DBB4396A9F8386D0E061206623016@pos-exch1.corp.positivenetworks.net>
Date: Fri, 18 Mar 2011 20:04:39 -0300
Message-ID: <AANLkTikj21YvjEyZhX1ZGR5Cn4rOu8ugYs3abDYojpMi@mail.gmail.com>
From: "Jorge A. Orchilles" <jorge@orchilles.com>
To: Steve Dispensa <dispensa@phonefactor.com>
Content-Type: multipart/alternative; boundary="00151747849e7150a6049ec9cd3d"
Cc: tls@ietf.org
Subject: Re: [TLS] SSL Renegotiation DOS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Mar 2011 23:03:13 -0000

Thank you for the response. Many implementations allow SSL Renegotiation by
default. IIS is one that does not.

Best Regards,
Jorge Orchilles



On Tue, Mar 15, 2011 at 10:23 AM, Steve Dispensa
<dispensa@phonefactor.com>wrote:

> > -----Original Message-----
> > From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of
> > Nikos Mavrogiannopoulos
> >
> > Hello,
> >  I'm curious, what is the effect of that in typical HTTPS servers? Do
> > servers allow
> > for renegotiation initiated by the client? (apache with mod_gnutls
> > doesn't)
>
> When we looked at implementations last year, we found that IIS was
> definitely not willing to do client-initiated renegotiation, but at the time
> there were a few that would. I'm sure a lot has changed since I last looked
> at it.
>
>  -Steve
>