CVE-2014-3511
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.
View on NVDSeverity
N/A
EPSS
Probability of exploitation (next 30 days): 0.0542 (5.4%)
Percentile: 90.2%
EPSS: 2026-05-06
Affects
openssl:opensslTechnical description
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.
Published: 8/13/2014, 11:55:07 PM
Last modified: 5/6/2026, 10:30:45 PM
References
- http://aix.software.ibm.com/aix/efixes/security/openssl_advisory10.asc
- http://linux.oracle.com/errata/ELSA-2014-1052.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00036.html
- http://marc.info/?l=bugtraq&m=142350350616251&w=2
- http://marc.info/?l=bugtraq&m=142495837901899&w=2
- http://marc.info/?l=bugtraq&m=142624590206005&w=2