You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@activemq.apache.org by shirley <sh...@trend.com.tw> on 2014/06/10 12:48:00 UTC

ActiveMQ CPP with OpenSSL

Recently, openssl has confirmed a vulnerability that OpenSSL (before 0.9.8za,
1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h) TLS clients enabling anonymous
ECDH ciphersuites are subject to a denial of service attack.

In OpenSSLContextSpi.cpp of activemq-cpp 3.8.2 source codes, we could see
that it sets the cipher suite to "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH". The
default ssl transport seems not to exclude the anonymous ECDH (!AECDH or
!aNULL).

So does it mean that the activemq-cpp clients are affected by this
vulnerability if our activemq-cpp library is built with openssl 1.0.1 before
1.0.0h? 





--
View this message in context: http://activemq.2283324.n4.nabble.com/ActiveMQ-CPP-with-OpenSSL-tp4681940.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.