Hi Lukas,
Lukas Tribus wrote:
>>> I don't see it. Can you please elaborate what exact commit ID your are
>>> refering to?
>> You are probably refering to the github fork, which is as always outdated,
>> and where line 2539 points to the local definition of SSL_OP_SINGLE_DH_USE:
>> #ifndef SSL_OP_S
Hi Lukas,
Lukas Tribus wrote:
> I don't see it. Can you please elaborate what exact commit ID your are
> refering to?
I was looking at
http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/src/ssl_sock.c;h=5cec6a4cd6ce5d16f9564e60fa57b24c46112bac;hb=HEAD#l2539
> As far as I an see we do the exact o
>> I don't see it. Can you please elaborate what exact commit ID your are
>> refering to?
>
> You are probably refering to the github fork, which is as always outdated,
> and where line 2539 points to the local definition of SSL_OP_SINGLE_DH_USE:
> #ifndef SSL_OP_SINGLE_ECDH_USE
> #define SSL_OP_SI
>> In HAProxy, this flag is currently statically disabled by default in
>> src/ssl_sock.c line 2539. Thus, when used with older OpenSSL versions
>> than 1.0.1r or 1.0.2f, users could be vulnerable.
>
> I don't see it. Can you please elaborate what exact commit ID your are
> refering to?
You are pr
> In HAProxy, this flag is currently statically disabled by default in
> src/ssl_sock.c line 2539. Thus, when used with older OpenSSL versions
> than 1.0.1r or 1.0.2f, users could be vulnerable.
I don't see it. Can you please elaborate what exact commit ID your are
refering to?
As far as I an see
Hi there,
following CVE-2016-0701, the OpenSSL project switched the behavior of
the SSL_OP_SINGLE_DH_USE flag to a no-op and forcefully enabled the
feature. This results in OpenSSL always generating a new DH parameters
for each handshake which can protect the private DH exponent from
certain attac
6 matches
Mail list logo