On Fri, Jun 06, 2014, Matt Caswell wrote: > On 6 June 2014 08:27, Zhong Chen <[email protected]> wrote: > > > > We are using openssl 1.0.0 as a server. Looking at the diff between 1.0.0m > > and 1.0.0k, same patch is applied to s3_srvr.c and s3_pkt.c. I want to > > confirm this is just for precaution, or openssl 1.0.0 is vulnerable too. > > > > As it says in the quote you have provided, only 1.0.1 servers are > known to be vulnerable. The same patch is applied to other server > versions as a precaution and we still advise you to upgrade. >
Just to expand on the reason for this. It's a bit complex and I hope I haven't oversimplified it. Roughly speaking the attack relies on being able to persuade server and client to use a compatible (i.e. still able to complete) invalid handshake with a zero length master secret. The MITM can then determine the session keys and decrypt and modify all traffic. A client or server not based on a vulnerable version of OpenSSL will abort the connection because the handshake is invalid. This is why you need a vulnerable client and server for the attack to work. The compatibility requirement explains why only 1.0.1 servers are vulnerable: although servers earlier than 1.0.0 *can* be persuaded to use an invalid hanshake it is *not* compatible with the client handshake so any attempt to perform the attack will fail. It's for that reason that the patch is the same in 1.0.0 versions of OpenSSL: it prevents the invalid handshake which is a good thing. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
