On 25.10.2011, at 14.38, Steinar Bang wrote: >>>>>> Timo Sirainen <t...@iki.fi>: > >> Yes, SSL handshakes are extra. Although SSL supports some kind of >> quick renegotiation too, but Dovecot doesn't support that yet. No >> one's ever requested it..
Looks like it's not "renegotiation" but more like session resume/resumption/cache or something that I was thinking about. > Hum... this article (in Norwegian) > http://www.digi.no/881186/skrekkverktoy-slaar-ut-%ABsikre%BB-servere > addresses the SSL renegotiation vulnerability, and how it can be used to > DOS servers using SSL from a single machine with low bandwidth. > > At the end the article is discussing how to configure off the SSL > renegotiate in different servers, and that the author had been unable to > find a setting for disabling SSL renegotiate in dovecot (and if anyone > knows how, please inform him). > > Could the reason he hasn't found such a setting be that SSL renegotiate > isn't supported at all in dovecot...? Looking at the OpenSSL code, I don't see any way to disable it. Or possibly with some undocumented kludgy way, but I don't really know enough about OpenSSL to implement it. Anyway, I'd think fail2ban should mostly solve this problem.
