[openssl-users] CVE-2011-1473 fixed version

Matt Caswell matt at openssl.org
Thu Dec 11 11:47:25 UTC 2014


On 11/12/14 11:35, Gayathri Manoj wrote:
> Hi Jeffrey,
>
> In this its not mentioned.
>
> Thanks,
> Gayathri
>
> On Thu, Dec 11, 2014 at 4:46 PM, Jeffrey Walton <noloader at gmail.com
> <mailto:noloader at gmail.com>> wrote:
>
>     On Thu, Dec 11, 2014 at 6:07 AM, Gayathri Manoj
>     <gayathri.annur at gmail.com <mailto:gayathri.annur at gmail.com>> wrote:
>     > Hi All,
>     >
>     > Please let me know in which version CVE-2011-1473 got fixed.
>     > Is openssl-1.x is vulnerable to this issue?
>     >
>

I wasn't involved at the time, but reading about it now CVE-2011-1473
essentially says (as I understand it) that if you fire lots of SSL
handshakes at a server it could cause a DoS because it is much cheaper
on the client side than it is on the server side. This isn't a "flaw" in
OpenSSL per se, this is a problem at a protocol level. There are some
possible mitigations, and there is an interesting discussion on the
issue here:

http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html#rate_limiting_ssl_handshakes

In answer to your question CVE-2011-1473 has not been "fixed" in OpenSSL
and there are no plans to do so. The answer to this is going to be more
about what DoS mitigations you are using within your infrastructure,
what ciphersuites you choose to use, etc.

Matt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.opensslfoundation.net/pipermail/openssl-users/attachments/20141211/65f9143e/attachment-0001.html>


More information about the openssl-users mailing list