[Dovecot] SSL renegotiation vulnerability

Timo Sirainen tss at iki.fi
Fri Nov 4 22:01:23 EET 2011


http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html -> "Things
get worse" shows that it's easier to DoS the server with multiple
connections than with renegotiations, so I don't know if there's much
point in disabling renegotiations. Perhaps Dovecot could allow e.g. one
renegotiation per minute, but is that really worth the trouble?..
Perhaps there even are some clients that do renegotiations and Dovecot
would break them.






More information about the dovecot mailing list