> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of > Sam Roberts > Sent: Wednesday, February 27, 2019 11:33 > > Even though this is fixed, would the general advice still be "avoid > CBC in favour of AESCCM and AESGCM when using TLS1.2"? Or update to > TLS1.3. The general advice is to avoid CBC mode where possible, full stop. Too many deployed implementations are still vulnerable to one form or another of padding-oracle attacks. Unless you control both ends of the conversation, you can't guarantee the peer isn't vulnerable. Frankly, this latest vulnerability in OpenSSL 1.0.2 feels pretty minor in that regard, since it depends on two different (if related) behaviors by the application to be vulnerable. The application has to incorrectly attempt a second SSL_shutdown if the first one fails (it should only do the second if the first succeeds), and it has to have different behavior that's visible to the attacker for the two cases, in order to be a useful oracle. AND it has to be using a non-stitched implementation of a vulnerable cipher. It's a relatively narrow branch of the attack tree. -- Michael Wojcik Distinguished Engineer, Micro Focus
