Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 7 Jul 2014 23:59:26 +1000
From: Michael Samuel <mik@...net.net>
To: oss-security@...ts.openwall.com
Subject: Re: default cipher suites in curl

On 7 July 2014 22:05, Marcus Meissner <meissner@...e.de> wrote:
>> This will only happen when the server either doesn't support stronger
>> ciphers or when the server requests it's cipher order be honoured and
>> chooses export ciphers first.   An attacker can't trigger this with SSLv3
>> or TLS.
>
> I was more thinking of a man in the middle attack during the connection
> setup.

That only works with SSLv2.   SSLv3 and TLSv1 won't allow this.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ