-
-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stop recommending DHE, because of "dheater" vulnerability :CVE-2002-20001 #17374
Comments
@mattcaswell as the test done by us, the "dheater" can make our openssl s_server Occupy 90% +CPU,is this normal? |
For reference see this issue which seems relevant: Also see: The CVE record links to this academic paper (which dates from 2000) - in particular see section 5.7: This probably requires some OTC consideration. My initial reaction is that there doesn't seem to be anything new here - other than the assignment of a CVE. (Although I'm a little confused by the "2002" year in the CVE number, even though this was only recently assigned). Question for OTC: How should we respond to CVE-2002-20001? |
I didn't see anything in the paper to suggest that the DoS issue is specifically related to DHE and not ECDHE. Did I miss something? |
OTC: We will not change the default cipher list at this time. |
|
We do not consider this to be a vulnerability in OpenSSL. |
@mattcaswell jfyi many of the CVE CNAs will assign a CVE number where the year portion represents the earliest known public discussion of an issue. |
These guys found a way to saturate the server CPU core to 100% using as little as 5 KB/s of incoming traffic. The pre-requisite is that the server supports DHE as the key exchange. Therefore, to avoid creating such a vulnerable configuration, I propose removing DHE from the SSL_DEFAULT_CIPHER_LIST or TLS_DEFAULT_CIPHERSUITES.
The text was updated successfully, but these errors were encountered: