客户端发起的重协商攻击缓解


TLS 协议允许客户端重新协商 TLS 会话的某些方面。 不幸的是,会话重新协商需要不成比例的服务器端资源,使其成为拒绝服务攻击的潜在载体。

为了降低风险,每十分钟重新协商的次数限制为 3 次。 当超过此阈值时,tls.TLSSocket 实例上会触发 'error' 事件。 限制是可配置的:

  • tls.CLIENT_RENEG_LIMIT <number> 指定重新协商请求的数量。 默认值: 3
  • tls.CLIENT_RENEG_WINDOW <number> 指定时间重新协商窗口(以秒为单位)。 默认值: 600 (10分钟)。

在没有充分了解影响和风险的情况下,不应修改默认的重新协商限制。

TLSv1.3 不支持重新协商。

The TLS protocol allows clients to renegotiate certain aspects of the TLS session. Unfortunately, session renegotiation requires a disproportionate amount of server-side resources, making it a potential vector for denial-of-service attacks.

To mitigate the risk, renegotiation is limited to three times every ten minutes. An 'error' event is emitted on the tls.TLSSocket instance when this threshold is exceeded. The limits are configurable:

  • tls.CLIENT_RENEG_LIMIT <number> Specifies the number of renegotiation requests. Default: 3.
  • tls.CLIENT_RENEG_WINDOW <number> Specifies the time renegotiation window in seconds. Default: 600 (10 minutes).

The default renegotiation limits should not be modified without a full understanding of the implications and risks.

TLSv1.3 does not support renegotiation.