Hi All, I'm really worried about the vulnerabilities recently found in OpenSSL versions 3.0.0 - 3.0.6. If I understand things correctly (and please do correct me if I'm wrong), it doesn't matter which version of OpenSSL clients are running, only which version of OpenSSL *servers* are running. Thus it seems like end-users can do very little to protect themselves. For example, how can an end-user tell if a website they're visiting is using a safe or an unsafe version of OpenSSL?
I did try putting my bank's website through an SSL tester (www.ssllabs.com), but I couldn't find an easy way to determine which version of OpenSSL they're running. I did get a protocol report, which read as follows: TLS 1.3 Yes TLS 1.2 Yes TLS 1.1 No TLS 1.0 No SSL 3 No SSL 2 No However, I don't know if any of those protocol version numbers give any indication as to the OpenSSL version number(s)? Any advice would be greatly appreciated. Many thanks, Steven_M Sent with Proton Mail secure email.
