客户端发起的重新协商攻击缓解

¥Client-initiated renegotiation attack mitigation

TLS 协议允许客户端重新协商 TLS 会话的某些方面。不幸的是，会话重新协商需要不成比例的服务器端资源，使其成为拒绝服务攻击的潜在载体。

¥The TLS protocol allows clients to renegotiate certain aspects of the TLS session. Unfortunately, session renegotiation requires a disproportionate amount of server-side resources, making it a potential vector for denial-of-service attacks.

为了降低风险，每十分钟重新协商的次数限制为 3 次。当超过此阈值时，tls.TLSSocket 实例上会触发 'error' 事件。限制是可配置的：

¥To mitigate the risk, renegotiation is limited to three times every ten minutes. An 'error' event is emitted on the tls.TLSSocket instance when this threshold is exceeded. The limits are configurable:

• tls.CLIENT_RENEG_LIMIT <number> 指定重新协商请求的数量。默认值：3。

  ¥tls.CLIENT_RENEG_LIMIT <number> Specifies the number of renegotiation requests. Default: 3.

• tls.CLIENT_RENEG_WINDOW <number> 指定时间重新协商窗口（以秒为单位）。默认值：600（10 分钟）。

  ¥tls.CLIENT_RENEG_WINDOW <number> Specifies the time renegotiation window in seconds. Default: 600 (10 minutes).

在没有充分了解影响和风险的情况下，不应修改默认的重新协商限制。

¥The default renegotiation limits should not be modified without a full understanding of the implications and risks.

TLSv1.3 不支持重新协商。

¥TLSv1.3 does not support renegotiation.