thanks for the clarification. On Tue, Dec 9, 2014 at 1:00 PM, Matt Caswell <matt at openssl.org> wrote: > > On 09/12/14 20:30, Arthur Tsang wrote: > > Hi Rich, > > > > do we have some formal announcement that openssl is not vulnerable for > > POODLE in TLS? or can you explain why Openssl is not affected? if > > symantec is issuing notification like that, i guess, a lot of > > management will demand explanations. Thanks, > > > > > Adam Langley's post provides a good explanation of this problem: > https://www.imperialviolet.org/2014/12/08/poodleagain.html > > The specification of SSLv3 did not specify the format of padding bytes > to be used when encrypting data. This led to an oracle attack. > > TLS on the other hand *does* specify this, and therefore (if you > implement it correctly) is not vulnerable to this oracle attack. A TLS > library needs to check the padding bytes are correctly formatted and > fail if not. The problem is that it is possible to implement a TLS > library and still use the SSLv3 decryption routines when working with > TLS (i.e. don't check the padding bytes). This *will* work, although it > is not compliant with the spec. If you fail to check the padding bytes > then your TLS implementation is vulnerable to the same POODLE oracle > attack. > > I can confirm that OpenSSL is compliant with the spec and *does* check > the padding bytes. It is therefore is not vulnerable to this issue. > > Matt > > _______________________________________________ > openssl-users mailing list > openssl-users at openssl.org > https://mta.opensslfoundation.net/mailman/listinfo/openssl-users > > -- Thanks, Arthur -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.opensslfoundation.net/pipermail/openssl-users/attachments/20141209/5ff861f3/attachment-0001.html>
