View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0005532||unreal||ircd||public||2020-01-17 12:55||2021-06-21 09:01|
|Priority||normal||Severity||feature||Reproducibility||have not tried|
|Summary||0005532: be more friendly to TLS users with error messages|
|Description||Consider doing the SSL/TLS handshake even for throttling errors and such when the (reject) connection rate is below a certain amount per second.|
If it is higher than a certain rate, then fall back to the original behavior to reject the user instantly without handshake or looking at any data.
Rationale: the current/original behavior is there so the ircd can handle floods, both in terms of traffic and in terms of CPU usage (the SSL/TLS handshake is quite costly after all). The downside of the current behavior is that TLS users don't see the error message, usually. This feature request tries to find a middle ground.
|Tags||No tags attached.|
|3rd party modules|
Now marked as 'public' and copy-paste from 0005917 with a bit more rationale:
On typical hardware the number of TLS handshakes per second is not all that impressive. Remember, most ircds, including this one, use only one core.
We previously shipped with a RSA 4096 default certificate which allowed only 212signs/sec on 4 year old hardware. That means you can bring the IRCd down completely if you did around 200 TLS connects per second. Or probably worse, since 1 handshake requires 1 sign operation but most likely uses more CPU than just that, some say handshakes/sec is 50% of signs/secs, so then it is only 100 handshakes/sec. That's a feasible attack from even a low-end cable connection.
On the same machine, RSA 3072 could do 480signs/sec. Only with RSA 2048 you get over thousand (1440/sec). With ECC384 things are better at 3816 sign operations per second, which is one of the reasons why that became the config in 5.0.0 for the default self-signed cert.
|2020-01-17 12:55||syzop||New Issue|
|2020-01-17 12:55||syzop||Assigned To||=> syzop|
|2020-01-17 12:55||syzop||Status||new => acknowledged|
|2021-06-21 08:54||syzop||View Status||private => public|
|2021-06-21 09:00||syzop||Note Added: 0022021|
|2021-06-21 09:01||syzop||Note Edited: 0022021|