Option to disable client-initiated renegotiation
Aki Tuomi
aki.tuomi at open-xchange.com
Mon Mar 13 13:43:22 UTC 2023
> On 13/03/2023 15:24 EET Serg <me at at.encryp.ch> wrote:
>
>
> Hello, is there any way to disallow client-initiated renegotiation at
> the dovecot? I haven't found any mention of this feature within source
> code as well as at the documentation.
>
> I am asking about it because without this feature mail server is
> vulnerable to a TLS renegotiation DoS attack which can consume a lot of
> CPU and is harder to combat comparing to a basic TLS connections flood.
There is no dovecot config option. However, you can use e.g. /etc/ssl/openssl.cnf to disable this (or whatever the default file in your system is):
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = NoRenegotiation
Aki
More information about the dovecot
mailing list