>> # Consequence >> A malicious legitimate client can enforce a ciphersuite not supported by the >> server to be used for a session between the client and the server. This can >> result in disclosure of sensitive information.
A malicious legitimate client can also publish the data outright. So I don't think this argument alone makes it a vulnerability. The actual bug seems to be that when the cipher is changed, the server does not check it against the configured cipher list. I think this is worth fixing. It's a problem if your specs say, "don't use algorithm X, ever", and you can still be tricked into using it. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

