[openssl-users] disable tls renegotiation to avoid the risk of OCSP Status Request extension unbounded memory growth
matt at openssl.org
Fri Sep 23 07:44:29 UTC 2016
On 23/09/16 06:07, 知於裘己 wrote:
> Hi guys
> can i avoid the risk of "OCSP Status Request extension unbounded
> memory growth" if i disable server's tls renegotiation ?
> in deed, nginx diable tls renegotiation by default since 0.8.23.
The issue occurs as a result of the attacker continually renegotiating,
growing the memory each time. If renegotiation is disabled then the
issue cannot occur. OpenSSL itself does not provide an easy way for
applications to disable renegotiation although I understand some
applications have found workarounds for that.
More information about the openssl-users