Option to disable client-initiated renegotiation
Hello, is there any way to disallow client-initiated renegotiation at the dovecot? I haven't found any mention of this feature within source code as well as at the documentation.
I am asking about it because without this feature mail server is vulnerable to a TLS renegotiation DoS attack which can consume a lot of CPU and is harder to combat comparing to a basic TLS connections flood.
On 13/03/2023 15:24 EET Serg <me@at.encryp.ch> wrote:
Hello, is there any way to disallow client-initiated renegotiation at the dovecot? I haven't found any mention of this feature within source code as well as at the documentation.
I am asking about it because without this feature mail server is vulnerable to a TLS renegotiation DoS attack which can consume a lot of CPU and is harder to combat comparing to a basic TLS connections flood.
There is no dovecot config option. However, you can use e.g. /etc/ssl/openssl.cnf to disable this (or whatever the default file in your system is):
openssl_conf = default_conf
[default_conf] ssl_conf = ssl_sect
[ssl_sect] system_default = system_default_sect
[system_default_sect] Options = NoRenegotiation
Aki
participants (2)
-
Aki Tuomi
-
Serg