This video shows a private tool exploiting a vulnerability in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a that allows a remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions. When successfully exploited, this vulnerability causes the server to crash or slow down.
In this video the attack is launched against a test service run through "openssl s_server" but any TLS/SSL service using a vulnerable version of openssl is affected (exim, dovecot, sendmail, etc...)
Comments