022 at 12:32:03PM +0530, Vipul Mehta wrote:
>
> > If we consider ECDHE_ECDSA cipher based TLS handshake, then it is
> possible
> > that the client can send invalid public session key to the server causing
> > the vulnerability. Is this assumption correct ?
>
> The CVE
Hello,
Our server does not consume any certificate from the client.
Client authentication or client certificate verification is disabled.
Server always has a valid ECC certificate.
BN_mod_sqrt() is not used anywhere in the server except by openssl.
If we consider ECDHE_ECDSA cipher based TLS