<html><head></head><body>Hi Aaron, maybe this is not a security fault, but it is in my opinion a bug in a software, that is used in this branch in different products. Actually I read a lot of mailing list and blogs and also git repos.<br>
If I able to use my phone in a better way, I will write the bug to the openssl mailinglist, at the moment there is a lot of noise there. At least if I am back at home, i will write.<br>
Cheers jan<br><br><div class="gmail_quote">On 25. April 2014 19:53:19 MESZ, Aaron Zauner <azet@azet.org> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="k9mail">Hi Jan, Leon,<br /><br />This so far only concerns our project as our ciphersuite is not<br />correctly handled by old OpenSSL versions and may end up being less<br />secure than it actually should be. If you use our recommendations stay<br />tuned for an updated version that tries to handle this issue. If you're<br />using your own ciphersuite specs you should check what ciphers they<br />allow for.<br /><br />It's not a software vulnerability (althoug these old versions of OpenSSL<br />probably have plenty), it's an issue how OpenSSL interprets ciphersuite<br />configurations.<br /><br />Aaron<br /><br /></pre><p style="margin-top: 2.5em; margin-bottom: 1em; border-bottom: 1px solid #000"></p><pre class="k9mail"><hr /><br />Ach mailing list<br />Ach@lists.cert.at<br /><a href="http://lists.cert.at/cgi-bin/mailman/listinfo/ach">http://lists.cert.at/cgi-bin/mailman/listinfo/ach</a><br /></pre></blockquote></div><br>
-- <br>
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.</body></html>