oss-sec mailing list archives
Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required
From: Hanno Böck <hanno () hboeck de>
Date: Tue, 14 Oct 2014 09:21:38 +0200
Am Tue, 14 Oct 2014 12:39:48 +1100 schrieb Michael Samuel <mik () miknet net>:
On 14 October 2014 00:09, Hanno Böck <hanno () hboeck de> wrote:I think this deserves a CVE: http://mail.jabber.org/pipermail/operators/2014-October/002438.htmlIf a client is willing to do that, then an attacker can simply force downgrade the client and connect to the server using TLS. (Assuming client certificates aren't in use)
Basically these things often work under a more or less "trust-on-first-use"-assumption. E.g. the client will check the server config on the first connection and use that settings in the future. So there is a scenario where this leads to unintended unencrypted connections. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
signature.asc
Description:
Current thread:
- CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Hanno Böck (Oct 13)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Michael Samuel (Oct 13)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Hanno Böck (Oct 14)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required cve-assign (Oct 16)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Michael Samuel (Oct 13)