Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:65491 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 68721 invoked from network); 30 Jan 2013 11:28:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Jan 2013 11:28:23 -0000 Authentication-Results: pb1.pair.com header.from=chrisw@aquacool.ltd.uk; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=chrisw@aquacool.ltd.uk; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain aquacool.ltd.uk designates 77.107.181.84 as permitted sender) X-PHP-List-Original-Sender: chrisw@aquacool.ltd.uk X-Host-Fingerprint: 77.107.181.84 stockport.aquacool.ltd.uk Received: from [77.107.181.84] ([77.107.181.84:40938] helo=stockport.aquacool.ltd.uk) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E4/4B-09318-1D309015 for ; Wed, 30 Jan 2013 06:28:18 -0500 Received: from DC01.aquacool.local ([fe80::9298:e041:a36d:d691]) by DC01.aquacool.local ([fe80::9298:e041:a36d:d691%11]) with mapi id 14.01.0438.000; Wed, 30 Jan 2013 11:28:14 +0000 To: "internals@lists.php.net" Thread-Topic: SSL renegotiation DoS attack mitigation Thread-Index: Ac3+3ONYtzSVFXDwSvW11nKOwLREsA== Date: Wed, 30 Jan 2013 11:28:12 +0000 Message-ID: <075AE850888292488D400D9632DFE6E1024006C0@DC01.aquacool.local> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.168.63.150] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: SSL renegotiation DoS attack mitigation From: chrisw@aquacool.ltd.uk (Chris Wright) PHP is currently susceptible to the DoS attack described here: http://www.ietf.org/mail-archive/web/tls/current/msg07553.html Obviously this is a fairly narrow scenario, it only comes into play when PH= P is acting as a socket server providing secure connectivity, it is not the= responsibility of PHP to counter low-level attacks like this when it is ru= nning behind a web server. This is not really a PHP issue as such, more a problem with OpenSSL, which= currently does not allow you to disable renegotiation - the feature was im= plemented in 0.9.8l and subsequently dropped. However I believe it should s= till be possible to mitigate this attack in PHP, through the use of SSL_CTX= _set_info_callback(): http://www.openssl.org/docs/ssl/SSL_CTX_set_info_callback.html It should be possible to capture the SSL_CB_HANDSHAKE_START event and utili= se it to implement a rate limiting for renegotiations. If I am reading the = not-100%-clear documentation correctly, the callback will be fired with thi= s reason code when a renegotiation occurs, so it should be possible (?) to = use this to implement an interval threshold, above which the connection wil= l be dropped. It would also be good to have this controllable via a stream context option= , and maybe to provide the possibility for a user-land callback as well, si= nce the rate limiting would mean the attack could still theoretically be pe= rformed via multiple connections. I am unable to provide a patch for this straight off the bat, as I do not k= now the PHP source well enough and my C-fu may not be good enough, but if i= t is something the community might be interested in/would find acceptable m= y colleagues and/or I can look at providing an implementation. Please note (to avoid confusion) that this does not pertain to the MITM att= ack described here: http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.htm= l This attack is not possible as long as PHP was compiled against OpenSSL 0.9= .8m or later. Best Regards Chris Wright