Hi all,
The paper is clearly indicating that they successfully mounted a
practical attack againt OpenSSL TLS implementation that uses elliptic
curves and ECDHE_ECDSA based ciphers. They used the OpenSSL s_server
utility and the versions indicated in their paper is 0.9.8o and 1.0.1a.
I'm not a
Hi, David.
So what is the meaning of the "Affected" status for OpenSSL? Is that
simply because ECDSA is supported by OpenSSL? Or did they actually test
against an implementation that exhibited the vulnerability?
Either way, FIPS 140-3 will only require protection against non-invasive
atta
Hi John,
thanks for forwarding. There has been a short thread on this on
attack-interest yesterday and today.
The way that these timing attacks work is that the attacker will time
a lot of crypto operations (in this case the ECDSA signing operation)
and then exploit the fact that the tim
On Tue, May 24, 2011 at 07:45:34PM -0600, Guan Jun He wrote:
>
>
> >>> ? 10:23 ?? ? 5/24/2011 ?
> <20110524142324.ga29...@panix.com> ??Thor Lancelot Simon
> ???> On Tue, May 24, 2011 at 05:10:03PM +0800, GuanJun He wrote:
> >> Hi,
> >>
> >>This is a patch to add a switch to openssl's co
David,
Would your ECDSA implementation be subject to the following timing attack?
Original Message
Subject:New Timing Attack on OpenSSL ECDSA
Date: Wed, 25 May 2011 15:59:58 +0200
From: Mounir IDRASSI
Reply-To: openssl-dev@openssl.org
Organization: IDRIX
To
Setting SSL_MODE_RELEASE_BUFFERS should be ignored for DTLS, but instead causes
the program to crash. This is due to missing version checks and is fixed with
this patch.
Best regards
Robin
--- ssl/s3_pkt.c11 May 2011 13:37:52 - 1.72.2.7.2.7
+++ ssl/s3_pkt.c25 May 201
Hi Steve,
I'm using curl 7.21.6 to make the request. When I build it with openssl 0.9.8i
uppercase hostnames work fine. However, when I build curl with openssl 1.0.0d I
get a 400 (bad request) with uppercase hostnames, but only with https requests.
Http requests are fine. Any ideas?
Kind Regar
Hi all,
Is there any plan for implementing counter measures against the newly
discovered vulnerability in ECDSA operations of OpenSSL?
For those not aware of it, here is the US-CERT link of this
vulnerability : http://www.kb.cert.org/vuls/id/536044
Here is also the original paper that contains
Hi Steve,
I'm using curl 7.21.6 to make the request. When I build it with openssl 0.9.8i
uppercase hostnames work fine. However, when I build curl with openssl 1.0.0d I
get a 400 (bad request) with uppercase hostnames, but only with https requests.
Http requests are fine. Any ideas?
Kind Regar
>>> 在 10:23 下午 的 5/24/2011 上,在讯息
<20110524142324.ga29...@panix.com> 中,Thor Lancelot Simon
写入:> On Tue, May 24, 2011 at 05:10:03PM +0800, GuanJun He wrote:
>> Hi,
>>
>>This is a patch to add a switch to openssl's compression
>> methords(if compression methords are configured to compile in, '
10 matches
Mail list logo
