Perhaps it's related to CVE-2011-4576: https://kc.mcafee.com/corporate/index?page=content&id=KB75138&actp=LIST and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576
"The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer." ____________________________________________________________________________________________________ Paul A. Suhler, PhD | Firmware Engineer | Quantum Corporation | Office: 949.856.7748 | paul.suh...@quantum.comĀ Preserving the World's Most Important Data. Yours.T -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Ben Laurie Sent: Monday, April 30, 2012 1:32 AM To: openssl-users@openssl.org Subject: Re: McAfee Claims TLS Vulnerability On Sun, Apr 29, 2012 at 10:40 PM, Mike Hoy <mho...@gmail.com> wrote: > We use McAfee to scan our website for vulnerabilities. They claim the > following: >> >> Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. >> Configure SSL/TLS servers to only support cipher suites that do not >> use block ciphers. Apply patches if available. What kind of crazy advice is this? ---------------------------------------------------------------------- The information contained in this transmission may be confidential. Any disclosure, copying, or further distribution of confidential information is not permitted unless such privilege is explicitly granted in writing by Quantum. Quantum reserves the right to have electronic communications, including email and attachments, sent across its networks filtered through anti virus and spam software programs and retain such messages in order to comply with applicable data security and retention requirements. Quantum is not responsible for the proper and complete transmission of the substance of this communication or for any delay in its receipt. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
