Vigil@nce - OpenSSL: option no-ssl3 useless
October 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can still use SSLv3, even if OpenSSL was compiled with
no-ssl3.
Impacted products: Debian, McAfee Email and Web Security, McAfee
Email Gateway, ePO, OpenSSL, Slackware, stunnel
Severity: 1/4
Creation date: 15/10/2014
DESCRIPTION OF THE VULNERABILITY
The OpenSSL library can be compiled with the no-ssl3 option, in
order to disable SSLv3.
However, this option does not work.
An attacker can therefore still use SSLv3, even if OpenSSL was
compiled with no-ssl3.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenSSL-option-no-ssl3-useless-15491