[Pkg-openssl-devel] Bug#529221: Bug#529221: Netscape/OpenSSL Cipher Forcing Bug
Florian Weimer
fw at deneb.enyo.de
Mon May 25 20:22:14 UTC 2009
>> # Consequence
>> A malicious legitimate client can enforce a ciphersuite not supported by the
>> server to be used for a session between the client and the server. This can
>> result in disclosure of sensitive information.
A malicious legitimate client can also publish the data outright. So
I don't think this argument alone makes it a vulnerability.
The actual bug seems to be that when the cipher is changed, the server
does not check it against the configured cipher list. I think this is
worth fixing. It's a problem if your specs say, "don't use algorithm
X, ever", and you can still be tricked into using it.
More information about the Pkg-openssl-devel
mailing list