Date: Mon, 7 Jul 2014 23:59:26 +1000 From: Michael Samuel <mik@...net.net> To: oss-security@...ts.openwall.com Subject: Re: default cipher suites in curl On 7 July 2014 22:05, Marcus Meissner <meissner@...e.de> wrote: >> This will only happen when the server either doesn't support stronger >> ciphers or when the server requests it's cipher order be honoured and >> chooses export ciphers first. An attacker can't trigger this with SSLv3 >> or TLS. > > I was more thinking of a man in the middle attack during the connection > setup. That only works with SSLv2. SSLv3 and TLSv1 won't allow this.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ