http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html -> "Things get worse" shows that it's easier to DoS the server with multiple connections than with renegotiations, so I don't know if there's much point in disabling renegotiations. Perhaps Dovecot could allow e.g. one renegotiation per minute, but is that really worth the trouble?.. Perhaps there even are some clients that do renegotiations and Dovecot would break them.
- [Dovecot] SSL renegotiation vulnerability (Was: dovecot ... Steinar Bang
- Re: [Dovecot] SSL renegotiation vulnerability (Was:... Timo Sirainen
- Re: [Dovecot] SSL renegotiation vulnerability (... Timo Sirainen
- Re: [Dovecot] SSL renegotiation vulnerabili... Timo Sirainen
- Re: [Dovecot] SSL renegotiation vulnera... Steinar Bang
- Re: [Dovecot] SSL renegotiation vu... Steinar Bang
- Re: [Dovecot] SSL renegotiatio... Robert Schetterer
- Re: [Dovecot] SSL renegoti... Ed W
- Re: [Dovecot] SSL renegoti... Robert Schetterer
- Re: [Dovecot] SSL renegotiatio... Timo Sirainen