Re: [TLS] SSL Renegotiation DOS

Eric Rescorla <> Tue, 15 March 2011 16:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 47A923A6C5B for <>; Tue, 15 Mar 2011 09:19:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.934
X-Spam-Status: No, score=-102.934 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zQZzZ+HDqBgK for <>; Tue, 15 Mar 2011 09:19:10 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2A2BA3A6B89 for <>; Tue, 15 Mar 2011 09:19:10 -0700 (PDT)
Received: by iyi12 with SMTP id 12so863973iyi.31 for <>; Tue, 15 Mar 2011 09:20:35 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id if9mr9676079icc.37.1300206035277; Tue, 15 Mar 2011 09:20:35 -0700 (PDT)
Received: by with HTTP; Tue, 15 Mar 2011 09:20:35 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Tue, 15 Mar 2011 09:20:35 -0700
Message-ID: <>
From: Eric Rescorla <>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [TLS] SSL Renegotiation DOS
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Mar 2011 16:19:13 -0000

On Tue, Mar 15, 2011 at 9:07 AM, Martin Rex <> wrote:
> Jorge A. Orchilles wrote:
>> Marsh Ray has invited me to present my research and report on SSL/TLS
>> Renegotiation Denial of Service on this mailing list. I have posted this on
>> my site and will paste here for your feedback:
>> *SSL/TLS Renegotiation Denial of Service*
>> An SSL/TLS handshake requires at least 10 times more processing power on the
>> server than on the client.
> I'm sorry, I completely fail to see what renegotiation has to do
> with the DoS capability here.
> The TLS protocol is a cryptographic protocol, and servers that expect
> to talk to real clients performing the protocol as designed will attempt
> to perform the cryptographic operations as requested.
> A DoS-client could simply open new connections to the SSL server and
> blindly fire away precompiled static SSL handshake messages, forcing the
> server to do crypto work.  You should be able to make most servers
> perform RSA decrypts on arbitrary data, and a significant number
> to perform DHE computations.

I tend to agree with Martin here: I don't see how this is
significantly worse than separate
connections. Arguably, it's better from the victim's perspective,
since common implementations
run each SSL/TLS connection in its own control thread (or process) and
so the scheduler
will try to fairly share between connections to some extent meaning
that the single offending
connection is bounded in terms of how much it can affect other users.