CVE-2014- and OpenSSL?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



thanks for the clarification.

On Tue, Dec 9, 2014 at 1:00 PM, Matt Caswell <matt at openssl.org> wrote:

>
> On 09/12/14 20:30, Arthur Tsang wrote:
> > Hi Rich,
> >
> > do we have some formal announcement that openssl is not vulnerable for
> > POODLE in TLS?  or can you explain why Openssl is not affected?  if
> > symantec is issuing notification like that, i guess, a lot of
> > management will demand explanations.  Thanks,
> >
> >
> Adam Langley's post provides a good explanation of this problem:
> https://www.imperialviolet.org/2014/12/08/poodleagain.html
>
> The specification of SSLv3 did not specify the format of padding bytes
> to be used when encrypting data. This led to an oracle attack.
>
> TLS on the other hand *does* specify this, and therefore (if you
> implement it correctly) is not vulnerable to this oracle attack. A TLS
> library needs to check the padding bytes are correctly formatted and
> fail if not. The problem is that it is possible to implement a TLS
> library and still use the SSLv3 decryption routines when working with
> TLS (i.e. don't check the padding bytes). This *will* work, although it
> is not compliant with the spec. If you fail to check the padding bytes
> then your TLS implementation is vulnerable to the same POODLE oracle
> attack.
>
> I can confirm that OpenSSL is compliant with the spec and *does* check
> the padding bytes. It is therefore is not vulnerable to this issue.
>
> Matt
>
> _______________________________________________
> openssl-users mailing list
> openssl-users at openssl.org
> https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
>
>


-- 
Thanks,
Arthur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.opensslfoundation.net/pipermail/openssl-users/attachments/20141209/5ff861f3/attachment-0001.html>


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux