Is there a summary somewhere of the changes that were made to the SSLv3 and TLSv1 message exchanges to avoid the vulnerability in the CBC cipher suites?
In particular, I need to know: . the description of the vulnerability . a description of the workaround . a summary of why the workaround should be considered valid in the protocol I have come across a large commercial user of SSL services for whom the workaround fails. The transmission of the data frame with no application data generates an SSL Alert causing the application to close the connection. The developers of the SSL library being used have replied that SSLv3 does not permit data frames containing no application data. Can someone summarize the issues for me? Thanks. Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP http://www.kermit-project.org/ Secured with MIT Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
