[openssl-users] Does CVE-2014-3569 apply without the no-ssl3 build option
Kurt Roeckx
kurt at roeckx.be
Tue Dec 30 12:55:26 UTC 2014
On Mon, Dec 29, 2014 at 10:37:49AM -0700, Zeke Evans wrote:
> Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option
> still vulnerable to CVE-2014-3569? It seems the SSLv3 handshake to a
> no-ssl3 application scenario is just one way to exploit this and that
> the ssl23_get_client_hello function causes this issue for any
> unsupported or unrecognized version.
The can return NULL in case of no-ssl2 or no-ssl3 when receiving
SSLv2 or SSLv3. But in case of SSLv2 that function isn't called,
it directly sets the method to SSLv2_server_method() in that case
if the previous if block.
Please note that s->verion can't be set to a unknown value but can
be set to an unsupported value. SSL2_VERSION and SSL3_VERSION are
the only 2 options that are known but can be unsupported. But as
stated above this doesn't affect SSLv2.
So in summary this only has an effect when build using no-ssl3.
Kurt
More information about the openssl-users
mailing list