[openssl-users] Does CVE-2014-3569 apply without the no-ssl3 build option

Zeke Evans zjedev at gmail.com
Tue Dec 30 16:28:05 UTC 2014


Thanks for clarifying.

On Tue, Dec 30, 2014 at 5:55 AM, Kurt Roeckx <kurt at roeckx.be> wrote:
> On Mon, Dec 29, 2014 at 10:37:49AM -0700, Zeke Evans wrote:
>> Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option
>> still vulnerable to CVE-2014-3569?  It seems the SSLv3 handshake to a
>> no-ssl3 application scenario is just one way to exploit this and that
>> the ssl23_get_client_hello function causes this issue for any
>> unsupported or unrecognized version.
>
> The can return NULL in case of no-ssl2 or no-ssl3 when receiving
> SSLv2 or SSLv3.  But in case of SSLv2 that function isn't called,
> it directly sets the method to SSLv2_server_method() in that case
> if the previous if block.
>
> Please note that s->verion can't be set to a unknown value but can
> be set to an unsupported value.  SSL2_VERSION and SSL3_VERSION are
> the only 2 options that are known but can be unsupported.  But as
> stated above this doesn't affect SSLv2.
>
> So in summary this only has an effect when build using no-ssl3.
>
>
> Kurt
>
> _______________________________________________
> openssl-users mailing list
> openssl-users at openssl.org
> https://mta.opensslfoundation.net/mailman/listinfo/openssl-users


More information about the openssl-users mailing list