Vulnerability in OpenSSL (CVE-2014-3511)

2014-08-06T00:00:00
ID OPENSSL:CVE-2014-3511
Type openssl
Reporter OpenSSL
Modified 2014-08-06T00:00:00

Description

A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate TLS 1.0 instead of higher protocol versions when the ClientHello message is badly fragmented. This allows a man-in-the-middle attacker to force a downgrade to TLS 1.0 even if both the server and the client support a higher protocol version, by modifying the client's TLS records. Reported by David Benjamin and Adam Langley (Google).