oss-sec mailing list archives
Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required
From: Michael Samuel <mik () miknet net>
Date: Wed, 15 Oct 2014 09:55:07 +1100
Hi, On 14 October 2014 18:21, Hanno Böck <hanno () hboeck de> wrote:
E.g. the client will check the server config on the first connection and use that settings in the future. So there is a scenario where this leads to unintended unencrypted connections.
Ok, I agree - this allows non-broken clients to have an insecure configuration, when the expectation is that they wouldn't. Regards, Michael
Current thread:
- CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Hanno Böck (Oct 13)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Michael Samuel (Oct 13)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Hanno Böck (Oct 14)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Michael Samuel (Oct 14)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Hanno Böck (Oct 14)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required cve-assign (Oct 16)
- Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Michael Samuel (Oct 13)