On Mon, Nov 22, 2010 at 12:30:10PM +0200, r rubin wrote:
> Thank you Victor for the detailed answer. I still don't understand: Does the
> vulnerability affect TLS *cliens*?
>
> > In the vulnerability detail, it is mentioned that:
> > - Any OpenSSL based TLS *server* is vulnerable".
> > Does this mean that OpenSSL-based TLS *client* applications aren't
> > vulnerable at all?
>
> > Sorry if this is an obvious question, but as a very OpenSSL beginner I
> > can't count on my own knowledge...
>
> The problem code was in ssl_parse_clienthello_tlsext().
Sorry, I thought this was clear. Since the problem code is in parsing
the client hello (this is only done by servers), there is no problem on
the client side.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
