Forgot your password?
typodupeerror

Comment: Advisory is a bit unclear (Score 2) 217

by Doug Papenthien (#47172487) Attached to: New OpenSSL Man-in-the-Middle Flaw Affects All Clients
After reading the advisory from OpenSSL, I'm still confused by what is vulnerable and what isn't. The flaw requires both the client and server to be vulnerable. If the client is using OpenSSL, they're vulnerable for 0.9.8/1.0.0/1.0.1. But if the server is using OpenSSL, they're only vulnerable if using 1.0.1/1.0.2(beta). Yet the bullet list of recommendations points out that servers should upgrade even if they're using 0.9.8: * OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za. Let's say I have a server using 0.9.8 and client using 1.0.0. If I understand their explanation correctly, then this scenario is *not* vulnerable. Is that the same conclusion others would draw from their explanation?

Nothing ever becomes real until it is experienced. - John Keats

Working...