New denial of service tool knocks out encrypting servers

http://www.h-online.com/security/news/item/New-denial-of-service-tool-knocks-out-encrypting-servers-1366564.html

I link the article to make sure everyone see’s it; but also to frame a
question. The “Fix” seems to be to simply disable SSL-Renegotiation so
that its not hammered over and over. The question: How do you disable
SSL Renegotiation on Nginx? I tried googling “Nginx Disable SSL
Renegotiation” but all that came back was patches to add the ability
TO disable it in Nginx, no actual config option. Anyone know?

2011/10/26 Eric G. [email protected]:

http://www.h-online.com/security/news/item/New-denial-of-service-tool-knocks-out-encrypting-servers-1366564.html

I link the article to make sure everyone see’s it; but also to frame a
question. The “Fix” seems to be to simply disable SSL-Renegotiation so
that its not hammered over and over. The question: How do you disable
SSL Renegotiation on Nginx? I tried googling “Nginx Disable SSL
Renegotiation” but all that came back was patches to add the ability
TO disable it in Nginx, no actual config option. Anyone know?

The real thing is here:
http://www.thc.org/thc-ssl-dos/

Just by looking over it, it seems there is no generic solution to the
problem, but a specific defense to this attack could be to limit the
throughput of SSL handshakes, and to queue pending requests,
prioritizing the host with the least number of handshake requests in
this queue. Also, more than a sane number of handshake requests from a
single host could be dropped.


Lucas Clemente Vella
[email protected]

Hello!

On Tue, Oct 25, 2011 at 10:58:33PM -0400, Eric G. wrote:

http://www.h-online.com/security/news/item/New-denial-of-service-tool-knocks-out-encrypting-servers-1366564.html

I link the article to make sure everyone see’s it; but also to frame a
question. The “Fix” seems to be to simply disable SSL-Renegotiation so
that its not hammered over and over. The question: How do you disable
SSL Renegotiation on Nginx? I tried googling “Nginx Disable SSL
Renegotiation” but all that came back was patches to add the ability
TO disable it in Nginx, no actual config option. Anyone know?

Renegotiation is unconditionally disabled since nginx 0.8.23 /
0.7.64, see CHANGES:

Changes with nginx 0.8.23
11 Nov 2009

*) Security: now SSL/TLS renegotiation is disabled.

Changes with nginx 0.7.64
16 Nov 2009

*) Security: now SSL/TLS renegotiation is disabled.

Maxim D.


nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs