diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2014-10-24 12:30:33 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2015-01-05 23:48:55 +0000 |
commit | ef28c6d6767a6a30df5add36171894c96628fe98 (patch) | |
tree | 06d44aa1bd2ac6ab54db402e4ac48b2f433cb50d /CHANGES | |
parent | 2175744952f5c8eaa2749f347629891497a1bcca (diff) |
ECDH downgrade bug fix.
Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.
Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2014-3572
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b15f8769644b00ef7283521593360b7b2135cb63)
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 7 |
1 files changed, 7 insertions, 0 deletions
@@ -4,6 +4,13 @@ Changes between 1.0.1j and 1.0.1k [xx XXX xxxx] + *) Abort handshake if server key exchange message is omitted for ephemeral + ECDH ciphersuites. + + Thanks to Karthikeyan Bhargavan for reporting this issue. + (CVE-2014-3572) + [Steve Henson] + *) Ensure that the session ID context of an SSL is updated when its SSL_CTX is updated via SSL_set_SSL_CTX. |