Home CVE Database CVE-2015-3197

CVE-2015-3197

Description

an issue where a connecting client can force an SSL handshake to complete via SSLv2, even if allSSLv2 ciphers are disabled. It is important to note that simply disabling the SSLv2 ciphers on your OpenSSL server will not mitigate this issue. In order to prevent an SSLv2 connection, support for the actual protocol must be disabled as well. In other words, even if the server configuration only allows strong ciphers (such as AES-GCM) that are not part of SSLv2, it is possible for an attacker to \"slip through\" these disabled ciphers and complete a handshake usingSSLv2. SSLv2 is a weak and broken protocol and should not be used. If that\'s not possible -- and really, the only reason is having to support very old clients

Priority: MEDIUM
CVSS v3: 5.9
Publish Date: Feb 12, 2016
Related ID: --
CVSS v2: Medium
Modified Date: Feb 12, 2016

Find out more about CVE-2015-3197 from the MITRE-CVE dictionary and NIST NVD


Products Affected

Login may be required to access defects or downloads.

Related Products

Product Name Status Defect Fixed Downloads
Linux 7 SCP Not Vulnerable -- -- --
Linux 7 CGP Not Vulnerable -- -- --

Comments

openssl

Live chat
Online