Bug 66225

Summary: Lacking a check for the return value of SSL_renegotiate()
Product: Apache httpd-2 Reporter: UVScan <daniel.zhao1002>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: critical Keywords: PatchAvailable
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: PC   
OS: Mac OS X 10.1   

Description UVScan 2022-08-17 06:19:31 UTC 
According to the descriptions of SSL_renegotiate(), it has two different return values.
But in httpd-2.4.53/modules/ssl/ssl_engine_kernel.c, we find it lacks a check for the return value of SSL_renegotiate().

Reference: https://www.openssl.org/docs/man1.1.1/man3/SSL_renegotiate.html
Comment 1 UVScan 2022-08-18 04:18:42 UTC 
If httpd does not check the return value of SSL_renegotiate(), it could cause a DoS attack.

Since SSL renegotiation process needs many computing resources and the current httpd does not break the renegotiation process when the return value is 0 (for error), we can initiate many renegotiation requests to exhaust the resources of devices or services, causing a DoS attack.
Comment 2 Giovanni Bechis 2023-03-30 17:09:54 UTC 
Fixed in r1908805.