Hi, On Wed, 20 Dec 2017 11:51:39 +0530 haris iqbal <haris.phnx@xxxxxxxxx> wrote: > I was wondering when exactly (the version) was the OpenSSL library > patched for the Bleichenbacher Vulnerability? It was probably fixed some time in the late 90s. However according to https://www.openssl.org/news/changelog.html the countermeasures were accidentally removed in some 0.9.6 version. However there also was a 2012/2013 timing version of the attack fixed here: https://github.com/openssl/openssl/commit/adb46dbc6dd7347750df2468c93e8c34bcb93a4b We also observed some old Openssl 0.9.8g crashing when we ran bleichenbacher scans against it, but we haven't entirely analyzed this. > Wanted to know this, since my custom application uses an older version > of OpenSSL, and I wanted to be sure that it is not affected. Don't do this. Switch to a supported version. There's no way you will plausibly keep this secure. Bleichenbacher attacks may be the least of your worries. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@xxxxxxxxx GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
