>> # Consequence
>> A malicious legitimate client can enforce a ciphersuite not supported by the
>> server to be used for a session between the client and the server. This can
>> result in disclosure of sensitive information.

A malicious legitimate client can also publish the data outright.  So
I don't think this argument alone makes it a vulnerability.

The actual bug seems to be that when the cipher is changed, the server
does not check it against the configured cipher list.  I think this is
worth fixing.  It's a problem if your specs say, "don't use algorithm
X, ever", and you can still be tricked into using it.



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to