Ticket 49303 - Add option to disable TLS client-initiated renegotiation
Bug Description: TLS renegotiation is a CPU-intensive process, which a
malicious client could use to consume server resources and perform a
denial of service attack. NSS defaults to allowing client-initiated
renegotiation, but has an option to disable it. It would be useful to
expose this as a DS configuration option.
Fix Description: Added a new 'nsTLSAllowClientRenegotiation' attribute
to the cn=encryption,cn=config object. This takes two values 'yes', and
'no'. If the value is 'no', renegotiation is disabled. If the value is
'yes', is not set, or is set to an invalid value, renegotiation is
enabled.
https://pagure.io/389-ds-base/issue/49303
Author: Howard Johnson <merlin@merlinthp.org>
Review by: wibrown (Thanks!)