On Wed, 4 Jan 2012 21:04:06 +0100 (CET) OpenSSL wrote: > SGC Restart DoS Attack (CVE-2011-4619) > ====================================== > > Support for handshake restarts for server gated cryptograpy (SGC) can > be used in a denial-of-service attack.
This issue seems to fall into the same category as CVE-2011-1473 that has been asked about on openssl lists couple of times and does not seem to have got feedback from openssl team. http://thread.gmane.org/gmane.comp.encryption.openssl.user/43645/focus=43699 http://thread.gmane.org/gmane.comp.encryption.openssl.user/43706 http://thread.gmane.org/gmane.comp.encryption.openssl.devel/19839 There was a request for guidance on how to best work around this in applications, whether callback approach is the recommended one: http://thread.gmane.org/gmane.comp.encryption.openssl.user/43304 Also some efforts to propose a fix: http://thread.gmane.org/gmane.comp.encryption.openssl.devel/19872 Can anyone from openssl team provide a statement on this issue and clarify if there are any changes planned to be made in openssl (be it a change that throttles or limits renegotiations, or makes it easier for applications to do so), comment on what kind of openssl fix may be acceptable, or recommend a way to best handle this in applications if no openssl fix is planned? Thank you! -- Tomas Hoger ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
