On Mon, Dec 29, 2014 at 10:37:49AM -0700, Zeke Evans wrote:
Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option
still vulnerable to CVE-2014-3569? It seems the SSLv3 handshake to a
no-ssl3 application scenario is just one way to exploit this and that
the
Thanks for clarifying.
On Tue, Dec 30, 2014 at 5:55 AM, Kurt Roeckx k...@roeckx.be wrote:
On Mon, Dec 29, 2014 at 10:37:49AM -0700, Zeke Evans wrote:
Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option
still vulnerable to CVE-2014-3569? It seems the SSLv3 handshake to a
Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option
still vulnerable to CVE-2014-3569? It seems the SSLv3 handshake to a
no-ssl3 application scenario is just one way to exploit this and that
the ssl23_get_client_hello function causes this issue for any
unsupported or