CVE-2011-1473 fixed version

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/12/14 11:35, Gayathri Manoj wrote:
> Hi Jeffrey,
>
> In this its not mentioned.
>
> Thanks,
> Gayathri
>
> On Thu, Dec 11, 2014 at 4:46 PM, Jeffrey Walton <noloader at gmail.com
> <mailto:noloader at gmail.com>> wrote:
>
>     On Thu, Dec 11, 2014 at 6:07 AM, Gayathri Manoj
>     <gayathri.annur at gmail.com <mailto:gayathri.annur at gmail.com>> wrote:
>     > Hi All,
>     >
>     > Please let me know in which version CVE-2011-1473 got fixed.
>     > Is openssl-1.x is vulnerable to this issue?
>     >
>

I wasn't involved at the time, but reading about it now CVE-2011-1473
essentially says (as I understand it) that if you fire lots of SSL
handshakes at a server it could cause a DoS because it is much cheaper
on the client side than it is on the server side. This isn't a "flaw" in
OpenSSL per se, this is a problem at a protocol level. There are some
possible mitigations, and there is an interesting discussion on the
issue here:

http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html#rate_limiting_ssl_handshakes

In answer to your question CVE-2011-1473 has not been "fixed" in OpenSSL
and there are no plans to do so. The answer to this is going to be more
about what DoS mitigations you are using within your infrastructure,
what ciphersuites you choose to use, etc.

Matt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.opensslfoundation.net/pipermail/openssl-users/attachments/20141211/65f9143e/attachment-0001.html>


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux