|
|
|
|
|
|
by zaroth
4127 days ago
|
|
|
If such a suite was enabled, how would the plethora of SSL testing sites out there have graded it? I assume a passing grade would not have allowed insecure suites such as these to be allowed. Insecure cipher is insecure; that would not typically be worthy of a CVE? It sounds more like even if the suite was not on your accepted list, a MITM could cause the server to downgrade? This is all OpenSSL has to say about it; RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
==============================================================
Severity: Low
An OpenSSL client will accept the use of an RSA temporary key in a non-
export RSA key exchange ciphersuite. A server could present a weak
temporary key and downgrade the security of the session.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.
I find these notes are usually too curt to really understand what's going on...Also, that CVE is from Jan 8, 2015, while this is claiming to be a new issue disclosed today. I've seen no mention on the oss-security list of "FREAK", so something is borked with this disclosure if it is a new vulnerability... |
|
|