On 09/12/14 20:30, Arthur Tsang wrote: > Hi Rich, > > do we have some formal announcement that openssl is not vulnerable for > POODLE in TLS? or can you explain why Openssl is not affected? if > symantec is issuing notification like that, i guess, a lot of > management will demand explanations. Thanks, > > Adam Langley's post provides a good explanation of this problem: https://www.imperialviolet.org/2014/12/08/poodleagain.html
The specification of SSLv3 did not specify the format of padding bytes to be used when encrypting data. This led to an oracle attack. TLS on the other hand *does* specify this, and therefore (if you implement it correctly) is not vulnerable to this oracle attack. A TLS library needs to check the padding bytes are correctly formatted and fail if not. The problem is that it is possible to implement a TLS library and still use the SSLv3 decryption routines when working with TLS (i.e. don't check the padding bytes). This *will* work, although it is not compliant with the spec. If you fail to check the padding bytes then your TLS implementation is vulnerable to the same POODLE oracle attack. I can confirm that OpenSSL is compliant with the spec and *does* check the padding bytes. It is therefore is not vulnerable to this issue. Matt _______________________________________________ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
