[openssl-dev] [openssl.org #4038] SSLv2 session reuse is broken on the 1.0.2 branch
Kaduk, Ben via RT
rt at openssl.org
Fri Sep 11 19:47:24 UTC 2015
SSLv2 support has been removed from master, but is still present in 1.0.2.
Adding a range check in ssl_get_prev_session() broke the SSLv2 codepath
because it supplied NULL as the 'limit' parameter that had not
previously been used for SSLv2 (or v3), so the fix is just to supply a
non-NULL limit.
Patch at https://github.com/openssl/openssl/pull/395 .
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list