Does CVE-2014-3569 apply without the no-ssl3 build option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Subject: Does CVE-2014-3569 apply without the no-ssl3 build option
From: zjedev@xxxxxxxxx (Zeke Evans)
Date: Mon, 29 Dec 2014 10:37:49 -0700

Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option
still vulnerable to CVE-2014-3569?  It seems the SSLv3 handshake to a
no-ssl3 application scenario is just one way to exploit this and that
the ssl23_get_client_hello function causes this issue for any
unsupported or unrecognized version.

Thanks,
Zeke

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Follow-Ups:
- Does CVE-2014-3569 apply without the no-ssl3 build option
  - From: Kurt Roeckx

Prev by Date: Why construct so wierd certificate chain for one web site
Next by Date: Differences in openssl 0.9.8 and 1.0.1x for private pem key file
Previous by thread: Why construct so wierd certificate chain for one web site
Next by thread: Does CVE-2014-3569 apply without the no-ssl3 build option
Index(es):
- Date
- Thread

[Index of Archives] [Linux ARM Kernel] [Linux ARM] [Linux Omap] [Fedora ARM] [IETF Annouce] [Security] [Bugtraq] [Linux] [Linux OMAP] [Linux MIPS] [ECOS] [Asterisk Internet PBX] [Linux API]

Powered by Linux