[pve-devel] applied: [PATCH http-server] fix #3724: disable TLS renegotiation

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Nov 16 07:34:57 CET 2021


On 15.11.21 21:50, Stoiko Ivanov wrote:
> The issue is probably not critical and best addressed by not running
> the perl API servers in an exposed environment or when this needs to
> be done by installing a reverse proxy in front of them.
> 
> The DOS potential of the perl daemons is limited more by the limited
> number of parallel workers (and the memory constraints of starting
> more of them), than by the CPU cycles wasted on TLS renegotiation.
> 
> Still disabling TLS renegotiation should show very little downside:
> * it was removed in TLS 1.3 for security reasons
> * it was the way nginx addressed this issue [1].
> * we do not use client certificate authentication
> 
> Tested by running `openssl s_client -no_tls1_3 -connect 192.0.2.1:8006`
> and issuing a `HEAD / HTTP/1.1\nR\n`
> with and without the patch.
> 
> [1] 70bd187c4c386d82d6e4d180e0db84f361d1be02 at
>     https://github.com/nginx/nginx (although that code adapted to
>     the various changes in openssl API over the years)
> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
>  src/PVE/APIServer/AnyEvent.pm | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
>

applied, thanks!





More information about the pve-devel mailing list