On Mon, Apr 30, 2012 at 5:23 PM, Paul Suhler <paul.suh...@quantum.com> wrote: > Perhaps it's related to CVE-2011-4576: > > https://kc.mcafee.com/corporate/index?page=content&id=KB75138&actp=LIST > and > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576 > > "The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f > does not properly initialize data structures for block cipher padding, which > might allow remote attackers to obtain sensitive information by decrypting > the padding data sent by an SSL peer."
Presumably - you'd hope that McAfee had the time/energy/skill to actually understand the issue, rather than just transcribe the CVE report... But apparently not. > > ____________________________________________________________________________________________________ > Paul A. Suhler, PhD | Firmware Engineer | Quantum Corporation | Office: > 949.856.7748 | paul.suh...@quantum.com > Preserving the World's Most Important Data. Yours.T > > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Ben Laurie > Sent: Monday, April 30, 2012 1:32 AM > To: openssl-users@openssl.org > Subject: Re: McAfee Claims TLS Vulnerability > > On Sun, Apr 29, 2012 at 10:40 PM, Mike Hoy <mho...@gmail.com> wrote: >> We use McAfee to scan our website for vulnerabilities. They claim the >> following: >>> >>> Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. >>> Configure SSL/TLS servers to only support cipher suites that do not >>> use block ciphers. Apply patches if available. > > What kind of crazy advice is this? > > > ---------------------------------------------------------------------- > The information contained in this transmission may be confidential. Any > disclosure, copying, or further distribution of confidential information is > not permitted unless such privilege is explicitly granted in writing by > Quantum. Quantum reserves the right to have electronic communications, > including email and attachments, sent across its networks filtered through > anti virus and spam software programs and retain such messages in order to > comply with applicable data security and retention requirements. Quantum is > not responsible for the proper and complete transmission of the substance of > this communication or for any delay in its receipt. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org