diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2014-10-24 12:30:33 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2015-01-05 22:59:32 +0000 |
commit | b15f8769644b00ef7283521593360b7b2135cb63 (patch) | |
tree | b4d18627db345215516e44ce4463cfc011b566f8 /CHANGES | |
parent | b5526482ef81ee7906b967e326d23a45fbcf3abc (diff) |
ECDH downgrade bug fix.
Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.
Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2014-3572
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 7 |
1 files changed, 7 insertions, 0 deletions
@@ -659,6 +659,13 @@ Changes between 1.0.1j and 1.0.1k [xx XXX xxxx] + *) Abort handshake if server key exchange message is omitted for ephemeral + ECDH ciphersuites. + + Thanks to Karthikeyan Bhargavan for reporting this issue. + (CVE-2014-3572) + [Steve Henson] + *) Ensure that the session ID context of an SSL is updated when its SSL_CTX is updated via SSL_set_SSL_CTX. |