Hi, I am questioning if Apache 2.2.22 with OpenSSL 0.9.8t is affected by CVE-2012-2333 (OpenSSL Invalid TLS/DTLS Record Denial of Service Vulnerability)?
You may find the details of the vulnerability here: http://www.openssl.org/news/secadv_20120510.txt Here, it says that "DTLS applications are affected in all versions of OpenSSL. TLS is only affected in OpenSSL 1.0.1 andlater." I do not have deeper knowledge about protocols but I think as follows: DTLS means TLS for datagram packets so it means http does not use DTLS, right? On the other hand, TLS is affected in OpenSSL 1.0.1 and later which means 0.9.8-related version is not affected, right? Thus, can I imply that OpenSSL 0.9.8t version used with Apache httpd 2.2.22 is not affected with this vulnerability? Can anybody comment on this issue? Is Apache 2.2.22 with OpenSSL 0.9.8t afected by CVE-2012-2333? Thanks & Regards, Gorkem
