[openssl-users] Does CVE-2014-3569 apply without the no-ssl3 build option

Zeke Evans zjedev at gmail.com
Mon Dec 29 17:37:49 UTC 2014

Previous message: [openssl-users] Why construct so wierd certificate chain for one web site
Next message: [openssl-users] Does CVE-2014-3569 apply without the no-ssl3 build option
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option
still vulnerable to CVE-2014-3569?  It seems the SSLv3 handshake to a
no-ssl3 application scenario is just one way to exploit this and that
the ssl23_get_client_hello function causes this issue for any
unsupported or unrecognized version.

Thanks,
Zeke

Previous message: [openssl-users] Why construct so wierd certificate chain for one web site
Next message: [openssl-users] Does CVE-2014-3569 apply without the no-ssl3 build option
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the openssl-users mailing list