[zeromq-dev] ZMTP3.0 authentication protocol bug with ZeroMQ4.0?

Hugo Landau hlandau at devever.net
Fri Oct 3 01:29:08 CEST 2014


I tested it.

With zeromq4-x master, the client doesn't even bother to send a full
greeting after receiving the server's greeting with wrong mechanism.
However it still keeps reconnecting ad infinitum.

With libzmq master, the client doesn't try and reconnect. So this
appears to be an ideal implementation.

Thanks for the help.

Hugo Landau

On Thu, Oct 02, 2014 at 11:34:25PM +0200, Pieter Hintjens wrote:
> Hi Hugo,
> The downgrade attack has been reported and fixed in the 4.x stable
> release (so for 4.0.5).
> The error handling has been quite heavily modified in libzmq master
> (so for 4.1.0).
> Would you be able to retest against the two github masters?
> -Pieter

More information about the zeromq-dev mailing list