from:"Henning Horst"

Is CVE-2014-5139 applicable if SRP ciphers were disabled from the cipherlist?

2014-08-08 Thread Henning Horst

Hi,

Reading the CVE-2014-5139 description,

The issue affects OpenSSL clients and allows a malicious server to crash
the client with a null pointer dereference (read) by specifying an SRP
ciphersuite even though it was not properly negotiated with the client. This can
be exploited through a Denial of Service attack.

OpenSSL 1.0.1 SSL/TLS client users should upgrade to 1.0.1i.


can someone please clarify whether or not this vulnerability affects
1.0.1 clients which explicitly disable SRP ciphers via
SSL_CTX_set_cipher_list?

I appreciate your help.

Thanks and Best Regards,

Henning

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Is CVE-2014-5139 applicable if SRP ciphers were disabled from the cipherlist?

2014-08-08 Thread Henning Horst

On 08/08/2014 03:27 PM, Dr. Stephen Henson wrote:
 Disabling them with the cipherlist will still leave you vulnerable. One of the
 bugs this fixed was that an SRP ciphersuites could be specified even if it was
 not present in ClientHello.

 If you disable SRP at compile time with no-srp you're OK though.
Thank you very much for your swift response, Steve.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Is CVE-2014-5139 applicable if SRP ciphers were disabled from the cipherlist?

Re: Is CVE-2014-5139 applicable if SRP ciphers were disabled from the cipherlist?

2 matches

Site Navigation

Mail list logo

Footer information