OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Ciphersuite Disabled Cipher Issue
Medium Nessus Plugin ID 51893
SynopsisThe remote host allows the resumption of SSL sessions with a disabled cipher.
DescriptionThe version of OpenSSL on the remote host has been shown to allow the use of disabled ciphers when resuming a session. This means that an attacker that sees (e.g. by sniffing) the start of an SSL connection can manipulate the OpenSSL session cache to cause subsequent resumptions of that session to use a disabled cipher chosen by the attacker.
SolutionUpgrade to OpenSSL 0.9.8j or later.