On Thu, Feb 25, 2010 at 11:45:14PM +0100, Dr. Stephen Henson wrote:
> This isn't a DoS issue as such it's just the client sending a message and
> never getting the reply it expects. You'd get exactly the same behaviour by
> connecting to a server and either never sending any data or deliberately not
> completing the handshake.
I consider resource starvation as a more serious DoS issue, when the
resource starvation is happens without a deliberate attack, but is
instead expected under normal operating conditions.
If I field a patched server, and sufficiently many unpatched pre-0.9.8m
OpenSSL clients attempt re-negotiation under normal conditions, I have
a resource starvation problem and unhappy users who are more annoyed at
stuck connections than failed ones.
I don't know to what extent this will impact our systems, but I am
more inclined to break midstream re-negotiation with legacy clients
than to expose the server and all unpatched clients to stuck sessions.
Thanks for the suggested patch, I'll chat to our web-plant team to find
out which of the two non-optimal behaviours they are more comfortably
with.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
