Hi, On 26/03/2021 12:03, Arne Schwabe wrote: > Am 26.03.21 um 00:15 schrieb Antonio Quartulli: >> Hi, >> >> On 25/03/2021 18:44, Arne Schwabe wrote: >>> These have been troublesome in the past and also today's CVE-2021-3449 >>> DOS is only exploitable if renegotiation is enabled. >>> >>> Signed-off-by: Arne Schwabe <a...@rfc2549.org> >> >> What is the practical effect of this change? >> With the current code (before this patch) when would OpenSSL/mbedTLS >> start a renegotiation on its own? >> > > > Documentation from OpenSSL: > > SSL_OP_NO_RENEGOTIATION > Disable all renegotiation in TLSv1.2 and earlier. Do not send > HelloRequest messages, and ignore renegotiation requests via ClientHello. > > From mbed TLS: > > Enable / Disable renegotiation support for connection when initiated by > peer (Default: MBEDTLS_SSL_RENEGOTIATION_DISABLED) > > Warning > It is recommended to always disable renegotation unless you know you > need it and you know what you're doing. In the past, there have been > several issues associated with renegotiation or a poor understanding of > its properties. > Note > Server-side, enabling renegotiation also makes the server susceptible to > a resource DoS by a malicious client. > > > So for mbed TLS it was off by default anyway, this patch just doesn't > trust the default for mbed TLS. Renegotiation is also dropped from TLS > 1.3. Furthermore in TLS 1.2 you would use it to restart a session with > diffferent parameter (now with client certs). So the is no real use case > in OpenVPN to have it enabled. >
Thanks a lot! This was definitely eye-opening, especially for somebody that does not eat oat and SSL for breakfast :-) It'd be nice though to have a little summary of this in the commit message (no need to copy/paste verbatim text from openssl/mbedtls though). I have a couple minor comments for the patch...incoming soon! Cheers, -- Antonio Quartulli _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
