Document that SSL_OP_ECH_TRIALDECRYPT can cause DoS in some circumstances

author sftcd <stephen.farrell@cs.tcd.ie>

Tue, 25 Nov 2025 23:39:33 +0000 (23:39 +0000)

committer Matt Caswell <matt@openssl.org>

Fri, 20 Feb 2026 16:40:25 +0000 (16:40 +0000)
author sftcd <stephen.farrell@cs.tcd.ie>
Tue, 25 Nov 2025 23:39:33 +0000 (23:39 +0000)
committer Matt Caswell <matt@openssl.org>
Fri, 20 Feb 2026 16:40:25 +0000 (16:40 +0000)
diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod

index 21c33e22345e2facab27ac3d6b03a4bff4807f22..cc7cb932d43a742ab98e39f76a9817e0cccc95f9 100644 (file)
--- a/doc/man3/SSL_CTX_set_options.pod
+++ b/doc/man3/SSL_CTX_set_options.pod
@@ -383,6 +383,19 @@ ECH key pairs. By default, servers will only attempt decryption using
  an ECH key pair that matches the config_id in the ECH extension value
  received.
  
+Note that a server that has loaded many ECH configurations and that enables ECH
+trial decryption will attempt decryption with every ECH key when presented with
+a GREASEd ECH, and with possibly that many even when presented with a real ECH.
+That could easily become an accidental denial of service.
+
+Note also that the ECH specification recommends that servers that enable this
+option consider implementing some form of rate limiting mechanism to limit the
+potential damage caused in such scenarios.
+
+If trial decryption is enabled then decryption will be attempted with the ECH
+configurations in the order they were loaded. So, were it possible to load the
+configuration most likely to be used first, that would improve efficiency.
+
  =item SSL_OP_ECH_GREASE_RETRY_CONFIG
  
  If set, servers will add GREASEy ECHConfig values to those sent to the
author	sftcd <stephen.farrell@cs.tcd.ie>
	Tue, 25 Nov 2025 23:39:33 +0000 (23:39 +0000)
committer	Matt Caswell <matt@openssl.org>
	Fri, 20 Feb 2026 16:40:25 +0000 (16:40 +0000)