Hi,
Reading the CVE-2014-5139 description,
The issue affects OpenSSL clients and allows a malicious server to crash
the client with a null pointer dereference (read) by specifying an SRP
ciphersuite even though it was not properly negotiated with the client. This can
be exploited through a Denial of Service attack.
OpenSSL 1.0.1 SSL/TLS client users should upgrade to 1.0.1i.
can someone please clarify whether or not this vulnerability affects
1.0.1 clients which explicitly disable SRP ciphers via
SSL_CTX_set_cipher_list?
I appreciate your help.
Thanks and Best Regards,
Henning
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org