[Pkg-openssl-devel] Bug#747453: Arbitrary key size limitations causing hard-to-diagnose problems when establishing a connection
Florian Weimer
fw at deneb.enyo.de
Sat May 10 20:42:47 UTC 2014
* Benny Baumann:
> As stated in the initial report you MUST never place arbitrary
> limits on the size of cryptographic keys which is this bug is doing
> in the first place.
Actually, you have to, otherwise you end up with a rather trivial
pre-authentication denial of service vulnerability. It's less of an
issue for the plain RSA cipher suites, but for many of the more
sophisticated ones, it is.
More information about the Pkg-openssl-devel
mailing list