Recently, openssl has confirmed a vulnerability that OpenSSL (before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h) TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.
In OpenSSLContextSpi.cpp of activemq-cpp 3.8.2 source codes, we could see that it sets the cipher suite to "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH". The default ssl transport seems not to exclude the anonymous ECDH (!AECDH or !aNULL). So does it mean that the activemq-cpp clients are affected by this vulnerability if our activemq-cpp library is built with openssl 1.0.1 before 1.0.0h? -- View this message in context: http://activemq.2283324.n4.nabble.com/ActiveMQ-CPP-with-OpenSSL-tp4681940.html Sent from the ActiveMQ - User mailing list archive at Nabble.com.
