Purely to give an independent answer - I'm not one of the openssl
developers and I've tested this. As expected the ssl3 implementation allows
any padding but the invalid padding is rejected with an alert when using
TLS. So as Matt has said, it's not a problem for openssl.
Cheers
Rich.
___
On 10/12/14 16:51, The Doctor wrote:
> Now POODLE is hitting TLS
>
> http://www.computerworld.com/article/2857274/security0/poodle-flaw-tls-itbwcw.html
>
> Any fixes in the works?
>
See my response to this yesterday on openssl-users:
https://mta.opensslfoundation.net/pipermail/openssl-users/2014
On Wed, Dec 10, 2014 at 09:51:15AM -0700, The Doctor wrote:
> Now POODLE is hitting TLS
>
> http://www.computerworld.com/article/2857274/security0/poodle-flaw-tls-itbwcw.html
>
> Any fixes in the works?
As already said previously, openssl is not affected by this.
kurt
__
> Now POODLE is hitting TLS
>
> http://www.computerworld.com/article/2857274/security0/poodle-flaw-tls-
> itbwcw.html
>
> Any fixes in the works?
As has already been covered in the openssl-dev list. OpenSSL does not have
this defect.
--
Principal Security Engineer, Akamai Technologies
IM:
Now POODLE is hitting TLS
http://www.computerworld.com/article/2857274/security0/poodle-flaw-tls-itbwcw.html
Any fixes in the works?
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist risin