MNBSD-2016-4: SSLv2 ciphers negotiable despite being disabled

Severity: Unknown

Affected Package: openssl

Summary: SSLv2 ciphers negotiable despite being disabled

Description

A malicious client could negotiate SSLv2 ciphers that had been disabled on the server and complete SSLv2 handshakes even when all SSLv2 ciphers were disabled, provided the SSLv2 protocol itself was not disabled via SSL_OP_NO_SSLv2. This weakened intended cipher restrictions. Fixed in the 0.7.4 release.

Affected Versions

openssl

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2015-3197

Published: January 30, 2016
Last Modified: January 30, 2016