On 20 December 2017 at 14:21, haris iqbal <haris.phnx@xxxxxxxxx> wrote: > Wanted to know this, since my custom application uses an older version > of OpenSSL, and I wanted to be sure that it is not affected. Not answering your original question. But you can test it using one of the following tools: ======== The following tools have checks that will cover ROBOT: testssl.sh has a test closely modelled after our own one. A snapshot is available, it's not yet part of a release. It also supports SNI and STARTTLS, which our test does not. TLS-Attacker already contained Bleichenbacher checks before our research, version 2.2 was extended with additional checks to cover all ROBOT variations. SSLLabs has added a check in their development version. Tripwire IP360 added detection for vulnerable F5 devices in ASPL-753 which was released in coordination with F5's public advisory. Generic detection of Bleichenbacher oracles will be released in coordination with this publication. tlsfuzzer has an extensive test script for Bleichenbacher vulns, though it will also complain about misbehaving servers that are not necessarily vulnerable. SSLyze added support for ROBOT detection after our disclosure. ========= Ref: https://robotattack.org/ -- mks -- -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
