On 25.10.2011, at 14.38, Steinar Bang wrote:
Timo Sirainen <tss@iki.fi>:
Yes, SSL handshakes are extra. Although SSL supports some kind of quick renegotiation too, but Dovecot doesn't support that yet. No one's ever requested it..
Looks like it's not "renegotiation" but more like session resume/resumption/cache or something that I was thinking about.
Hum... this article (in Norwegian) http://www.digi.no/881186/skrekkverktoy-slaar-ut-%ABsikre%BB-servere addresses the SSL renegotiation vulnerability, and how it can be used to DOS servers using SSL from a single machine with low bandwidth.
At the end the article is discussing how to configure off the SSL renegotiate in different servers, and that the author had been unable to find a setting for disabling SSL renegotiate in dovecot (and if anyone knows how, please inform him).
Could the reason he hasn't found such a setting be that SSL renegotiate isn't supported at all in dovecot...?
Looking at the OpenSSL code, I don't see any way to disable it. Or possibly with some undocumented kludgy way, but I don't really know enough about OpenSSL to implement it.
Anyway, I'd think fail2ban should mostly solve this problem.