> Is there really no use of LHASH tables in OpenSSL where an attacker > attempting a DoS attack can control the contents of the tables? The only use of LHASH is in SSL_SESSION and X509_NAME, which use their own hashing functions, and are only used after the session and/or certs have been cryptographically verified.