On 27/02/2019 16:47, Michael Wojcik wrote: >> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf >> Of Sam Roberts Sent: Wednesday, February 27, 2019 11:33 >> >> Even though this is fixed, would the general advice still be "avoid CBC in >> favour of AESCCM and AESGCM when using TLS1.2"? Or update to TLS1.3. > > The general advice is to avoid CBC mode where possible, full stop. Too many > deployed implementations are still vulnerable to one form or another of > padding-oracle attacks. Unless you control both ends of the conversation, you > can't guarantee the peer isn't vulnerable. > > Frankly, this latest vulnerability in OpenSSL 1.0.2 feels pretty minor in > that regard, since it depends on two different (if related) behaviors by the > application to be vulnerable. The application has to incorrectly attempt a > second SSL_shutdown if the first one fails (it should only do the second if > the first succeeds), This is not quite correct. It requires you to incorrectly call SSL_shutdown() twice (once to send a close_notify, and once to receive one) having previously encountered a fatal error. For example if you call SSL_read() which returns <=0 and SSL_get_error() returns SSL_ERROR_SYSCALL or SSL_ERROR_SSL then a fatal error has occurred. You should *not* then attempt to call SSL_shutdown(). Matt
