tls_allow_renegotiation
Name
tls_allow_renegotiation — determine whether to enable TLS renegotiation
Synopsis
TLS_Allow_Renegotiation = true|false
Description
**Configuration Change. ** Support for GNUTLS is available as of version 4.1 for SMTP reception and SMTP deliveries only.
This option determines whether TLS renegotiation is enabled or disabled.
OpenSSL
When TLS_Engine is set to openssl, this option is supported by the ESMTP, HTTP, and ECStream listeners. SSL/TLS renegotiation has a known, inherent, vulnerability to DoS attacks that openSSL views as the responsibility of the higher level application to mitigate. TLS_Allow_Renegotiation addresses this issue by making it possible to deny renegotiation requests.
Note
If you have C policy scripts that incorporate calls to ec_ssl_renegotiate please note this behavior. In some circumstances, setting this option to false may shut down valid attempts at renegotiation and needlessly drop connections.
This option can be set to the following:
-
true– Renegotiations are allowed. -
false– Renegotiations are not allowed at all. When renegotiation is disabled and a renegotiation is attempted from the peer, the openSSL session does not close immediately and waits for the SSL connection to timeout.
GNUTLS
When TLS_Engine is set to gnutls, this option is supported by the ESMTP listener only.
This option can be set to the following:
-
true– Renegotiations are allowed when the Safe Renegotiation extension has been negotiated. For additional details about Safe Renegotiation, see http://www.gnutls.org/manual/gnutls.html#Safe-renegotiation. -
false– Renegotiations are not allowed at all.
The default value is true.
Scope
tls_allow_renegotiation is valid in the ecstream_listener, esmtp_listener, http_listener, pathway, pathway_group and xmpp_listener scopes and the listen and peer scopes within those listeners.