Re: [openssl-users] Does CVE-2014-3569 apply without the no-ssl3 build option
On Mon, Dec 29, 2014 at 10:37:49AM -0700, Zeke Evans wrote: Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option still vulnerable to CVE-2014-3569? It seems the SSLv3 handshake to a no-ssl3 application scenario is just one way to exploit this and that the ssl23_get_client_hello function causes this issue for any unsupported or unrecognized version. The can return NULL in case of no-ssl2 or no-ssl3 when receiving SSLv2 or SSLv3. But in case of SSLv2 that function isn't called, it directly sets the method to SSLv2_server_method() in that case if the previous if block. Please note that s-verion can't be set to a unknown value but can be set to an unsupported value. SSL2_VERSION and SSL3_VERSION are the only 2 options that are known but can be unsupported. But as stated above this doesn't affect SSLv2. So in summary this only has an effect when build using no-ssl3. Kurt ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
Re: [openssl-users] Does CVE-2014-3569 apply without the no-ssl3 build option
Thanks for clarifying. On Tue, Dec 30, 2014 at 5:55 AM, Kurt Roeckx k...@roeckx.be wrote: On Mon, Dec 29, 2014 at 10:37:49AM -0700, Zeke Evans wrote: Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option still vulnerable to CVE-2014-3569? It seems the SSLv3 handshake to a no-ssl3 application scenario is just one way to exploit this and that the ssl23_get_client_hello function causes this issue for any unsupported or unrecognized version. The can return NULL in case of no-ssl2 or no-ssl3 when receiving SSLv2 or SSLv3. But in case of SSLv2 that function isn't called, it directly sets the method to SSLv2_server_method() in that case if the previous if block. Please note that s-verion can't be set to a unknown value but can be set to an unsupported value. SSL2_VERSION and SSL3_VERSION are the only 2 options that are known but can be unsupported. But as stated above this doesn't affect SSLv2. So in summary this only has an effect when build using no-ssl3. Kurt ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
[openssl-users] Does CVE-2014-3569 apply without the no-ssl3 build option
Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option still vulnerable to CVE-2014-3569? It seems the SSLv3 handshake to a no-ssl3 application scenario is just one way to exploit this and that the ssl23_get_client_hello function causes this issue for any unsupported or unrecognized version. Thanks, Zeke ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users