Worried about the vulnerabilities recently found in OpenSSL versions 3.0.0 - 3.0.6.
Steven_M.irc
Steven_M.irc at proton.me
Wed Nov 2 23:17:31 UTC 2022
Hi All,
I'm really worried about the vulnerabilities recently found in OpenSSL versions 3.0.0 - 3.0.6. If I understand things correctly (and please do correct me if I'm wrong), it doesn't matter which version of OpenSSL clients are running, only which version of OpenSSL *servers* are running. Thus it seems like end-users can do very little to protect themselves. For example, how can an end-user tell if a website they're visiting is using a safe or an unsafe version of OpenSSL?
I did try putting my bank's website through an SSL tester (www.ssllabs.com), but I couldn't find an easy way to determine which version of OpenSSL they're running. I did get a protocol report, which read as follows:
TLS 1.3 Yes
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 No
SSL 2 No
However, I don't know if any of those protocol version numbers give any indication as to the OpenSSL version number(s)?
Any advice would be greatly appreciated.
Many thanks,
Steven_M
Sent with Proton Mail secure email.
More information about the openssl-users
mailing list