Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094) #538

Open
eclhmf opened this issue Jan 25, 2023 · 0 comments
Open

SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094) #538

eclhmf opened this issue Jan 25, 2023 · 0 comments
Assignees
@callum-kirby
Labels
build issue

Comments

@eclhmf
Copy link

eclhmf commented Jan 25, 2023
edited
Loading

Hi,
during the security audit of our REST-API, which uses the restbed library, a vulnerability regarding SSL/TLS occurred.
The following CVEs are referenced:

  • CVE-2011-1473
  • CVE-2011-5094
    TLDR; An attacker can perform a computational DoS attack by performing many renegotiations within a single connection.

I have not found a way in the API (https://github.com/Corvusoft/restbed/blob/master/documentation/API.md#sslsettings) to limit renegotiations nor to disable them at all.

libraries:

  • restbed 4.8
  • openssl 1.1.1

Additional reference:
https://vincent.bernat.ch/en/blog/2011-ssl-dos-mitigation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@callum-kirby callum-kirby

Labels
build issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ben-crowhurst @callum-kirby @eclhmf