Am Sat, May 10, 2014 at 10:42:47PM +0200 schrieb Florian Weimer: > * Benny Baumann: > > > As stated in the initial report you MUST never place arbitrary > > limits on the size of cryptographic keys which is this bug is doing > > in the first place. > > Actually, you have to, otherwise you end up with a rather trivial > pre-authentication denial of service vulnerability. It's less of an > issue for the plain RSA cipher suites, but for many of the more > sophisticated ones, it is.
Something like "not bigger than 8 times today's reasonable key size" is not "arbitrary", I think. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
