On Mon, Dec 29, 2014 at 10:37:49AM -0700, Zeke Evans wrote: > Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option > still vulnerable to CVE-2014-3569? It seems the SSLv3 handshake to a > no-ssl3 application scenario is just one way to exploit this and that > the ssl23_get_client_hello function causes this issue for any > unsupported or unrecognized version. The can return NULL in case of no-ssl2 or no-ssl3 when receiving SSLv2 or SSLv3. But in case of SSLv2 that function isn't called, it directly sets the method to SSLv2_server_method() in that case if the previous if block. Please note that s->verion can't be set to a unknown value but can be set to an unsupported value. SSL2_VERSION and SSL3_VERSION are the only 2 options that are known but can be unsupported. But as stated above this doesn't affect SSLv2. So in summary this only has an effect when build using no-ssl3. Kurt
