Thanks for clarifying. On Tue, Dec 30, 2014 at 5:55 AM, Kurt Roeckx <kurt at roeckx.be> wrote: > On Mon, Dec 29, 2014 at 10:37:49AM -0700, Zeke Evans wrote: >> Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option >> still vulnerable to CVE-2014-3569? It seems the SSLv3 handshake to a >> no-ssl3 application scenario is just one way to exploit this and that >> the ssl23_get_client_hello function causes this issue for any >> unsupported or unrecognized version. > > The can return NULL in case of no-ssl2 or no-ssl3 when receiving > SSLv2 or SSLv3. But in case of SSLv2 that function isn't called, > it directly sets the method to SSLv2_server_method() in that case > if the previous if block. > > Please note that s->verion can't be set to a unknown value but can > be set to an unsupported value. SSL2_VERSION and SSL3_VERSION are > the only 2 options that are known but can be unsupported. But as > stated above this doesn't affect SSLv2. > > So in summary this only has an effect when build using no-ssl3. > > > Kurt > > _______________________________________________ > openssl-users mailing list > openssl-users at openssl.org > https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
