ActiveMQ CPP with OpenSSL

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

ActiveMQ CPP with OpenSSL

shirley
Recently, openssl has confirmed a vulnerability that OpenSSL (before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h) TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.

In OpenSSLContextSpi.cpp of activemq-cpp 3.8.2 source codes, we could see that it sets the cipher suite to "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH". The default ssl transport seems not to exclude the anonymous ECDH (!AECDH or !aNULL).

So does it mean that the activemq-cpp clients are affected by this vulnerability if our activemq-cpp library is built with openssl 1.0.1 before 1.0.0h?