7c9c39e Ticket 49303 - Add option to disable TLS client-initiated renegotiation

3 files Authored by merlinthp 6 years ago, Committed by William Brown 6 years ago,
    Ticket 49303 - Add option to disable TLS client-initiated renegotiation
    
    Bug Description:  TLS renegotiation is a CPU-intensive process, which a
    malicious client could use to consume server resources and perform a
    denial of service attack.  NSS defaults to allowing client-initiated
    renegotiation, but has an option to disable it.  It would be useful to
    expose this as a DS configuration option.
    
    Fix Description:  Added a new 'nsTLSAllowClientRenegotiation' attribute
    to the cn=encryption,cn=config object.  This takes two values 'yes', and
    'no'.  If the value is 'no', renegotiation is disabled.  If the value is
    'yes', is not set, or is set to an invalid value, renegotiation is
    enabled.
    
    https://pagure.io/389-ds-base/issue/49303
    
    Author: Howard Johnson <merlin@merlinthp.org>
    
    Review by: wibrown (Thanks!)
    
        
file modified
+2 -1
file modified
+30 -0