> Instead of raising the limit of client key exchange message length more than > 2048, why can't we add the > "ssl3_check_client_hello" functionality in the ssl/s3_srvr.c because that > will "permit appropriate message length".
The DoS issue is still there. How can you prevent the "other side" from consuming all your CPU with a large key? Who needs 16K RSA keys, such that openssl by default should support that for everyone? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users