[Pkg-openssl-devel] Bug#747453: Arbitrary key size limitations causing hard-to-diagnose problems when establishing a connection
Wilfried Klaebe
w+reportbug at chaos.in-kiel.de
Sat May 10 21:26:47 UTC 2014
Am Sat, May 10, 2014 at 10:42:47PM +0200 schrieb Florian Weimer:
> * Benny Baumann:
>
> > As stated in the initial report you MUST never place arbitrary
> > limits on the size of cryptographic keys which is this bug is doing
> > in the first place.
>
> Actually, you have to, otherwise you end up with a rather trivial
> pre-authentication denial of service vulnerability. It's less of an
> issue for the plain RSA cipher suites, but for many of the more
> sophisticated ones, it is.
Something like "not bigger than 8 times today's reasonable key size"
is not "arbitrary", I think.
More information about the Pkg-openssl-devel
mailing list