Also POODLE - Padding Oracle on Downgrade to LEgacy, is a two part attack. Padding Oracle attacks on SSLv3 are well known BUT a large number of people assumed if you offered higher levels of TLS that you could avoid this unless a legacy client, which used only SSLv3, attached. The POODLE attack showed clearly that you could force a downgrade to legacy SSLv3 so just supporting it opened you to PO attacks. As Victor has pointed out, this is two fragments of 0x18 + 0x28 = 0x40 or 64 decimal which is indeed a multiple of 8. Regards Mark Hack On Sun, 2023-03-19 at 12:41 -0400, Viktor Dukhovni wrote: > On Sun, Mar 19, 2023 at 03:09:47PM +0000, Ren Yanyu wrote: > > > I use SSL_write(ssl, buf, len) send the data to a memory BIO and > > read > > the encrypted message. For example, one of the message reads: > --- > [two] > > > 17 03 00 00 18 > > ab d0 3c ae 20 f5 f8 ad dd 92 06 83 32 bd fa 6a > > 02 44 5d ec 7b 6d 0c 2b > > 17 03 00 00 28 > > 66 45 37 06 e6 86 3e d2 cc 77 c1 0b 45 dd 96 0c > > c3 7c 23 8e ea 72 fa a6 f0 67 74 28 38 ae 37 23 > > 92 b8 07 96 ce 0f d3 ea > > You're confusing TCP segments with TLS records. A single TCP segment > can carry more than one TCL record (or fewer, if the record is longer > than the TCP MSS, or is the last fragment of a long record). >
