Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option still vulnerable to CVE-2014-3569? It seems the SSLv3 handshake to a no-ssl3 application scenario is just one way to exploit this and that the ssl23_get_client_hello function causes this issue for any unsupported or unrecognized version.
Thanks, Zeke _______________________________________________ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users