Turnserver resource exhaustion via a TLS/SSL client-side renogiation attack.

[GoogleCodeExporter]

The turn server is susceptible to a client side initiated TLS renegotiation 
attack.  This attack will consume all processor resources on the host which in 
turn effectively takes down the turn server.

This can be easily reproduced using the THC-SSL DoS tool from a single PC.

Currently using rfc5766-turn-server-3.2.4.1-1.1_1.0.7.2 on SLES 11 SP3 with 
OpenSSL 1.0.1h/i.

Other products are mitigating this attack vector, such as Apache, Nginx, IIS.  

Two possible solutions.  

1) Create a flag which enables/disables client side renegotiation.
2) Implement a limiter.  Nginx is a good example.  
http://nodejs.org/api/tls.html#tls_client_initiated_renegotiation_attack_mitigat
ion 

https://github.com/joyent/node/issues/2726

Original issue reported on code.google.com by bdotstad...@gmail.com on 4 Sep 2014 at 7:05

[GoogleCodeExporter]

Original comment by mom040...@gmail.com on 4 Sep 2014 at 7:20

• Changed state: Accepted

[GoogleCodeExporter]

will be fixed in 3.2.4.4

Original comment by mom040...@gmail.com on 8 Sep 2014 at 8:29

[GoogleCodeExporter]

Original comment by mom040...@gmail.com on 9 Sep 2014 at 1:36

[GoogleCodeExporter]

Fixed in 3.2.4.4

Original comment by mom040...@gmail.com on 12 Sep 2014 at 6:33

• Changed state: Fixed