Feb 22, 2012
- Rehandshake Denial of Service - A denial of service attack against SSL servers was uncovered where a malicious client could repeatedly ask for a rehandshake at very low cpu cost to itself but at high CPU cost to the server (due to the private key operation).
New compile-time defines DEFAULT_RH_CREDITS and BYTES_BEFORE_RH_CREDIT have been added to matrixsslConfig.h to reduce the number of allowable re-handshakes per connection. This feature is enabled by default.
As with previous SSL vulnerabilities, this DOS attack has been known since the early days of SSL, but it had not been applied until recently.
- The sample SSL server now utilities False Start support within MatrixSSL to allow the Google Chrome browser to connect. Support for False Start has been available in MatrixSSL since version 3.1.4 but the sample server was not taking advantage of this feature.
- All file headers and documentation updated and branded to reflect the AuthenTec acquisition of PeerSec Networks and MatrixSSL.
Public API Changes