On Sat, Jun 08, 2019 at 11:12:24AM +0200, L. Jankok wrote:
> In my main.cf I have"tls_ssl_options=NO_RENEGOTIATION" but when I use the
> mailserver verification option from https://internet.nl I get the report
> that TLS client-initiated renegotiation is not disabled and that therefore
> my postfix setup is prone to a DOS attack by means of CPU resource
> starvation.
>
> 1. Is this a false positive?
Perhaps not.
> 2. If it is indeed an issue, how to disable TLSA client-initiated
> renegotiation with postfix?
You need at least OpenSSL 1.1.1 for that option to have any effect.
>From the SSL_CTX_set_options(3) manpage:
HISTORY
...
The SSL_OP_PRIORITIZE_CHACHA and SSL_OP_NO_RENEGOTIATION options were
added in OpenSSL 1.1.1.
Likely your OpenSSL version is older.
--
Viktor.
