The ssl23_get_client_hello function in s23_srvr.c in...
Moderate severity
Unreviewed
Published
May 17, 2022
to the GitHub Advisory Database
•
Updated Jan 28, 2023
Description
Published by the National Vulnerability Database
Aug 13, 2014
Published to the GitHub Advisory Database
May 17, 2022
Last updated
Jan 28, 2023
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.
References