On 11/12/14 11:35, Gayathri Manoj wrote: > Hi Jeffrey, > > In this its not mentioned. > > Thanks, > Gayathri > > On Thu, Dec 11, 2014 at 4:46 PM, Jeffrey Walton <noloader at gmail.com > <mailto:noloader at gmail.com>> wrote: > > On Thu, Dec 11, 2014 at 6:07 AM, Gayathri Manoj > <gayathri.annur at gmail.com <mailto:gayathri.annur at gmail.com>> wrote: > > Hi All, > > > > Please let me know in which version CVE-2011-1473 got fixed. > > Is openssl-1.x is vulnerable to this issue? > > > I wasn't involved at the time, but reading about it now CVE-2011-1473 essentially says (as I understand it) that if you fire lots of SSL handshakes at a server it could cause a DoS because it is much cheaper on the client side than it is on the server side. This isn't a "flaw" in OpenSSL per se, this is a problem at a protocol level. There are some possible mitigations, and there is an interesting discussion on the issue here: http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html#rate_limiting_ssl_handshakes In answer to your question CVE-2011-1473 has not been "fixed" in OpenSSL and there are no plans to do so. The answer to this is going to be more about what DoS mitigations you are using within your infrastructure, what ciphersuites you choose to use, etc. Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.opensslfoundation.net/pipermail/openssl-users/attachments/20141211/65f9143e/attachment-0001.html>