[openssl-dev] [openssl.org #4080] Malformed Client Hello messages are accepted (session_id length)
Hubert Kario via RT
rt at openssl.org
Thu Oct 8 17:32:06 UTC 2015
On Thursday 08 October 2015 17:19:06 Alessandro Ghedini via RT wrote:
> The problem most likely happens with SSLv2 backwards compatible
> ClientHello as well, but that seems to be easier to fix... or maybe
> it's time to just drop that compatibility code for v1.1?
There is quite a bit of clients that do send SSLv2 backwards compatible
Client Hello, dropping it completely, even though it allows to
relatively safely negotiate TLS connections, is probably going one step
too far.
I don't plan to work on SSLv2 Client Hello fuzzing in near future
though.
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151008/d3814bb6/attachment.sig>
More information about the openssl-dev
mailing list