On 23/09/16 06:07, ???? wrote: > Hi guys > can i avoid the risk of "OCSP Status Request extension unbounded > memory growth" if i disable server's tls renegotiation ? > in deed, nginx diable tls renegotiation by default since 0.8.23. The issue occurs as a result of the attacker continually renegotiating, growing the memory each time. If renegotiation is disabled then the issue cannot occur. OpenSSL itself does not provide an easy way for applications to disable renegotiation although I understand some applications have found workarounds for that. Matt
