Commit c7e7b78917 for openssl.org

commit c7e7b78917c4bff6186bda8bf896bf830066379f
Author: sftcd <stephen.farrell@cs.tcd.ie>
Date:   Tue Nov 25 23:39:33 2025 +0000

    Document that SSL_OP_ECH_TRIALDECRYPT can cause DoS in some circumstances

    Fixes DEF-02-002

    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Matt Caswell <matt@openssl.org>
    MergeDate: Wed Feb 11 17:19:10 2026
    (Merged from https://github.com/openssl/openssl/pull/29593)

diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod
index 21c33e2234..cc7cb932d4 100644
--- a/doc/man3/SSL_CTX_set_options.pod
+++ b/doc/man3/SSL_CTX_set_options.pod
@@ -383,6 +383,19 @@ ECH key pairs. By default, servers will only attempt decryption using
 an ECH key pair that matches the config_id in the ECH extension value
 received.

+Note that a server that has loaded many ECH configurations and that enables ECH
+trial decryption will attempt decryption with every ECH key when presented with
+a GREASEd ECH, and with possibly that many even when presented with a real ECH.
+That could easily become an accidental denial of service.
+
+Note also that the ECH specification recommends that servers that enable this
+option consider implementing some form of rate limiting mechanism to limit the
+potential damage caused in such scenarios.
+
+If trial decryption is enabled then decryption will be attempted with the ECH
+configurations in the order they were loaded. So, were it possible to load the
+configuration most likely to be used first, that would improve efficiency.
+
 =item SSL_OP_ECH_GREASE_RETRY_CONFIG

 If set, servers will add GREASEy ECHConfig values to those sent to the