aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src/dtls_connection.erl
diff options
context:
space:
mode:
authorFred Hebert <[email protected]>2015-06-02 10:51:22 -0400
committerFred Hebert <[email protected]>2015-06-03 11:58:41 -0400
commit916226427901f40d695d0d7d91106b0188900055 (patch)
tree73be5bfe291c530a46dd6486a07724c287d80087 /lib/ssl/src/dtls_connection.erl
parent21b8941d83516e381000387c47758bc7f040ae8b (diff)
downloadotp-916226427901f40d695d0d7d91106b0188900055.tar.gz
otp-916226427901f40d695d0d7d91106b0188900055.tar.bz2
otp-916226427901f40d695d0d7d91106b0188900055.zip
Add disable client-initiated renegotiation option
Client-initiated renegotiation is more costly for the server than the client, and this feature can be abused in denial of service attempts. Although the ssl application already takes counter-measure for these (via cooldown periods between renegotiations), it can be useful to disable the feature entirely. This patch adds the `{client_renegotiation, boolean()}' option to the server-side of the SSL application (defaulting to `true' to be compatible with the current behaviour). The option disables the ability to do any renegotiation at all in the protocol's state, reusing the existing denial code, but without opening the code path that sets up a timed message to eventually reopen it up.
Diffstat (limited to 'lib/ssl/src/dtls_connection.erl')
-rw-r--r--lib/ssl/src/dtls_connection.erl1
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl
index 508983ddac..039495ef9e 100644
--- a/lib/ssl/src/dtls_connection.erl
+++ b/lib/ssl/src/dtls_connection.erl
@@ -513,6 +513,7 @@ initial_state(Role, Host, Port, Socket, {SSLOptions, SocketOptions}, User,
user_data_buffer = <<>>,
session_cache_cb = SessionCacheCb,
renegotiation = {false, first},
+ allow_renegotiate = SSLOptions#ssl_options.client_renegotiation,
start_or_recv_from = undefined,
send_queue = queue:new(),
protocol_cb = ?MODULE