Hello openssl-users, I am looking for clarification regarding CVE-2014-3510. The advisory refers to it as a vulnerability in DTLS when using anonymous DH/ECDH. However, the fix in git (bff5319d9038765f864ef06e2e3c766f5c01dbd7) modified code involving RSA key exchange in non-DTLS protocol versions.
What is the real scope of this vulnerability? In particular, does it affect TLS 1.0 when used with non-anonymous RSA cipher suites? Thanks, Ivan
