Hi all, I would like to validate my understanding, please excuse my lack of familiarity with OpenSSL versioning :-)
The OpenSSL security advisory of 2011-09-06 (http://www.mail-archive.com/openssl-announce@openssl.org/msg00108.html), regarding "TLS ephemeral ECDH crashes in OpenSSL" states that the issue, for branch 0.9.8, applies to "OpenSSL 0.9.8 through 0.9.8s". I understand that for branch 0.9.8 the workaround is to "disable ephemeral ECDH ciphersuites if you have enabled them", and that one should use branch 1.0.0. I just want to double check the status of the 0.9.8 branch and understand if it is still maintained or not. If I look at the repository for opensslv.h, branch 0.9.8 moved from 0.9.8r release to 0.9.8s-dev on 2011-02-08, and as of today it is still 0.9.8s-dev. This means that the day that 0.9.8s becomes release, it will still be vulnerable to the "TLS ephemeral ECDH crashes in OpenSSL"? Or am I missing something? Is because by default 0.9.8 doesn't enable ephemeral ECDH ? Thanks marco______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
