From 6f5df7e4a437aca3014f2898ea65af5bd64acb39 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 24 Oct 2022 16:14:35 +0200 Subject: [PATCH] nts: warn if server started without ntsdumpdir If an NTS server is configured without ntsdumpdir, keys will not be saved and reloaded after restart, which will cause existing cookies to be invalidated and can cause a short-term denial of service if the server has so many clients that it cannot handle them all making an NTS-KE session within one polling interval. Log a warning message if a server key+certificate is specified without ntsdumpdir. --- nts_ke_server.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nts_ke_server.c b/nts_ke_server.c index 3731079..95c6a3d 100644 --- a/nts_ke_server.c +++ b/nts_ke_server.c @@ -821,6 +821,11 @@ NKS_Initialise(void) key_delay = key_rotation_interval - (SCH_GetLastEventMonoTime() - last_server_key_ts); SCH_AddTimeoutByDelay(MAX(key_delay, 0.0), key_timeout, NULL); } + + /* Warn if keys are not saved, which can cause a flood of requests + after server restart */ + if (!CNF_GetNtsDumpDir()) + LOG(LOGS_WARN, "No ntsdumpdir to save server keys"); } initialised = 1;