[openssl-users] disable tls renegotiation to avoid the risk of OCSP Status Request extension unbounded memory growth

Matt Caswell matt at openssl.org
Fri Sep 23 07:44:29 UTC 2016

On 23/09/16 06:07, 知於裘己 wrote:
> Hi guys
>       can i avoid the risk of "OCSP Status Request extension unbounded
> memory growth" if i disable server's tls renegotiation ?
>       in deed, nginx diable tls renegotiation by default since 0.8.23.  

The issue occurs as a result of the attacker continually renegotiating,
growing the memory each time. If renegotiation is disabled then the
issue cannot occur. OpenSSL itself does not provide an easy way for
applications to disable renegotiation although I understand some
applications have found workarounds for that.


More information about the openssl-users mailing list