> An attacker could repeat the undefined plaintext warning packets of "SSL3_AL_WARNING" during the handshake, which will easily make to consume 100% CPU on the server.<p>> It is an implementation problem in OpenSSL that OpenSSL would ignore undefined warning, and continue dealing with the remaining data(if exist). So the attacker could pack multiple alerts inside a single record and send a large number of there large records. Then the server will be fallen in a meaningless cycle, and not available to any others.<p>SSL3 is vulnerable and should be banned in the webserver's configuration. It stopped being supported by major browsers years ago.<p>The article doesn't say if webservers are vulnerable when they block SSL3 entirely. If so, it's the hell of a critical vulnerability! Otherwise, <a href="http://disablessl3.com/" rel="nofollow">http://disablessl3.com/</a>