According to the descriptions of SSL_renegotiate(), it has two different return values. But in httpd-2.4.53/modules/ssl/ssl_engine_kernel.c, we find it lacks a check for the return value of SSL_renegotiate(). Reference: https://www.openssl.org/docs/man1.1.1/man3/SSL_renegotiate.html
If httpd does not check the return value of SSL_renegotiate(), it could cause a DoS attack. Since SSL renegotiation process needs many computing resources and the current httpd does not break the renegotiation process when the return value is 0 (for error), we can initiate many renegotiation requests to exhaust the resources of devices or services, causing a DoS attack.
Fixed in r1908805.