disabling client initiated renegotiation, disabling all renegotiation
RFC5746 (2010) paragraph 5. Security Considerations:
"Many servers can mitigate this attack simply by refusing to renegotiate at all."
"TLS implementations SHOULD provide a mechanism to disable and enable renegotiation."
Users do not seem to have this option (e.g. %DISABLE_RENEGOTIATION).
After RFC 5746 was published, DoS attacks, tools and papers were published regarding abuse of TLS renegotiation.
Guidelines from security institutes call for disabling of client initiated renegotiation on servers to protect against attacks known and unknown. Users should have the option to do this. (e.g. %DISABLE_CLIENT_RENEGOTIATION).
Servers do not need renegotiation when TLS sessions are short lived, for example small mail servers.
Requested:
%DISABLE_RENEGOTIATION: disable all renegotiation
%DISABLE_CLIENT_RENEGOTIATION: disable all client initiated renegotiation
Existing related settings:
%PARTIAL_RENEGOTIATION [default]: allows safe renegotiation only (RFC5746)
%DISABLE_SAFE_RENEGOTIATION: disable safe renegotiation extension (RFC5746)
%UNSAFE_RENEGOTIATION: allow non-safe renegotiation (RFC5746)