Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable Secure Client-Initiated Renegotiation #1257

Closed
daenney opened this issue May 3, 2019 · 4 comments
Closed

Disable Secure Client-Initiated Renegotiation #1257

daenney opened this issue May 3, 2019 · 4 comments
Milestone
1.6.3

Comments

@daenney
Copy link

daenney commented May 3, 2019

I'd like the ability to configure mosquitto to disable Secure Client-Initiated Renegotiation. It's a potential DoS vector.
@ralight
Copy link
Contributor

ralight commented May 22, 2019

Would it be reasonable to have this disabled completely rather than configurable?

@ralight
Copy link
Contributor

ralight commented May 22, 2019

From what I've read, the movement appears to be towards disabling renegotiation completely.

@daenney
Copy link
Author

daenney commented May 22, 2019

Yes, I would disable it completely but I figured it should at least be configurable.

@ralight ralight added this to the 1.6.3 milestone May 28, 2019
ralight added a commit that referenced this issue May 29, 2019
@ralight
Disable TLS renegotiation.
b42bb99 
Client initiated renegotiation is considered to be a potential attack
vector against servers.

Closes #1257. Thanks to Daniele Sluijters.
@ralight
Copy link
Contributor

ralight commented May 29, 2019

Renegotiation disabled! Thanks for the report.

@ralight ralight closed this as completed May 29, 2019
vankxr pushed a commit to vankxr/mosquitto that referenced this issue Aug 9, 2019
@ralight @vankxr
Disable TLS renegotiation.
6f0d125 
Client initiated renegotiation is considered to be a potential attack
vector against servers.

Closes eclipse#1257. Thanks to Daniele Sluijters.
@lock lock bot locked as resolved and limited conversation to collaborators Aug 27, 2019
ralight added a commit that referenced this issue Sep 18, 2019
@ralight
Disable TLS renegotiation.
e87ac5a 
Client initiated renegotiation is considered to be a potential attack
vector against servers.

Closes #1257. Thanks to Daniele Sluijters.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.6.3
Development

No branches or pull requests
2 participants
@ralight @daenney