CVE-2011-1473

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 0.9.8l OpenSSL versions 0.9.8m through 1.x

Description The issue allows remote attackers to cause a denial of service, specifically CPU consumption, by performing many renegotiations within a single connection. This is due to the improper restriction of client-initiated renegotiation within the SSL and TLS protocols. It is worth noting that there is an argument to be made that preventing or limiting renegotiation when it is inappropriate falls under the responsibility of server deployments rather than a security library.

Recommendations For OpenSSL versions prior to 0.9.8l, update to version 0.9.8l or later to resolve the issue. For OpenSSL versions 0.9.8m through 1.x, consider disabling client-initiated renegotiation as a temporary workaround until a patch is available. Restrict access to the renegotiation functionality to minimize the risk of exploitation.