RE: openssl SSL3 vulnerability

2014-10-28 Thread Pradeep Gudepu
...@openssl.orgmailto:owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jay Foster Sent: Friday, October 24, 2014 1:43 PM To: openssl-users@openssl.orgmailto:openssl-users@openssl.org Subject: Re: openssl SSL3 vulnerability There seems to be a difference between

RE: openssl SSL3 vulnerability

2014-10-27 Thread mclellan, dave
...@openssl.org] On Behalf Of Jay Foster Sent: Friday, October 24, 2014 1:43 PM To: openssl-users@openssl.org Subject: Re: openssl SSL3 vulnerability There seems to be a difference between the SSL (protocol) version and the Cipher version/description. You might try the following debug code to clarify

Re: openssl SSL3 vulnerability

2014-10-25 Thread Florian Weimer
* Pradeep Gudepu: if(server) //method = ::SSLv23_server_method(); method = ::TLSv1_server_method(); else //method = ::SSLv23_client_method(); method = ::TLSv1_client_method(); This is wrong, it prevents the use of TLS 1.1 and TLS 1.2.

openssl SSL3 vulnerability

2014-10-24 Thread Pradeep Gudepu
Hi, To Get rid of openssl SSL3 Poodle bug, I upgraded from openssl 1.0.1g to 1.0.1j. Also Compiled openssl sources with no-ssl2 no-ssl3, so that only TLSv1 works in client server application. On top of this, in my SSL config code, I added following code to create context. if(server)

RE: openssl SSL3 vulnerability

2014-10-24 Thread mclellan, dave
-openssl-us...@openssl.org] On Behalf Of Pradeep Gudepu Sent: Friday, October 24, 2014 6:13 AM To: openssl-users@openssl.org Subject: openssl SSL3 vulnerability Hi, To Get rid of openssl SSL3 Poodle bug, I upgraded from openssl 1.0.1g to 1.0.1j. Also Compiled openssl sources with no-ssl2 no-ssl3

Re: openssl SSL3 vulnerability

2014-10-24 Thread Jeffrey Walton
On Fri, Oct 24, 2014 at 7:15 AM, mclellan, dave dave.mclel...@emc.com wrote: I have also had this same experience (1.0.1i) with SSLv3 being negotiated though I used the SSL_OP_NO_SSLv3 flag on the SSL_set_options call. (I have NOT re-built with SSLv3 disabled). If that's the case, then a

RE: openssl SSL3 vulnerability

2014-10-24 Thread mclellan, dave
...@emc.com +-+-+-+-+-+-+-+-+- -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Friday, October 24, 2014 8:42 AM To: OpenSSL Users List Subject: Re: openssl SSL3 vulnerability On Fri, Oct 24, 2014 at 7:15 AM

RE: openssl SSL3 vulnerability

2014-10-24 Thread Michael Wojcik
[mailto:owner-openssl-us...@openssl.org] On Behalf Of mclellan, dave Sent: Friday, 24 October, 2014 09:06 To: openssl-users@openssl.org Subject: RE: openssl SSL3 vulnerability If that's the case (Jeffrey has not observed the behavior) then I have done something wrong, which has been my suspicion

Re: openssl SSL3 vulnerability

2014-10-24 Thread Jeffrey Walton
On Fri, Oct 24, 2014 at 9:30 AM, Michael Wojcik michael.woj...@microfocus.com wrote: You have SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv2 there. I assume v2 ... v2 is a typo, but if that's what your code actually has, then that's the problem. (Assuming there isn't some other problem, of course.) That's

RE: openssl SSL3 vulnerability

2014-10-24 Thread Michael Wojcik
From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Friday, 24 October, 2014 09:42 To: OpenSSL Users List Subject: Re: openssl SSL3 vulnerability On Fri, Oct 24, 2014 at 9:30 AM, Michael Wojcik michael.woj...@microfocus.com

RE: openssl SSL3 vulnerability

2014-10-24 Thread Pradeep Gudepu
. Thanks – Pradeep reddy. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Friday, October 24, 2014 7:12 PM To: OpenSSL Users List Subject: Re: openssl SSL3 vulnerability On Fri, Oct 24, 2014 at 9:30 AM

RE: openssl SSL3 vulnerability

2014-10-24 Thread mclellan, dave
: 978-500-2546, dave.mclel...@emc.com +-+-+-+-+-+-+-+-+- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Michael Wojcik Sent: Friday, October 24, 2014 9:30 AM To: openssl-users@openssl.org Subject: RE: openssl SSL3 vulnerability You have

Re: openssl SSL3 vulnerability

2014-10-24 Thread Jeffrey Walton
On Fri, Oct 24, 2014 at 9:53 AM, Michael Wojcik michael.woj...@microfocus.com wrote: From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Friday, 24 October, 2014 09:42 To: OpenSSL Users List Subject: Re: openssl SSL3 vulnerability

RE: openssl SSL3 vulnerability

2014-10-24 Thread Michael Wojcik
From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Friday, 24 October, 2014 10:26 To: OpenSSL Users List Subject: Re: openssl SSL3 vulnerability On Fri, Oct 24, 2014 at 9:53 AM, Michael Wojcik michael.woj...@microfocus.com

Re: openssl SSL3 vulnerability

2014-10-24 Thread Jakob Bohm
On 24/10/2014 15:53, Pradeep Gudepu wrote: To my earlier code, I have added these extra flags for client: SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); And server also has these same flags set, so that no way client and server can communicate on sslv2, sslv3. But

RE: openssl SSL3 vulnerability

2014-10-24 Thread mclellan, dave
...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: Friday, October 24, 2014 12:37 PM To: openssl-users@openssl.org Subject: Re: openssl SSL3 vulnerability On 24/10/2014 15:53, Pradeep Gudepu wrote: To my earlier code, I have added these extra flags for client

Re: openssl SSL3 vulnerability

2014-10-24 Thread Erik Forsberg
That triggers my memory. I saw this too a long time ago, if I recall correctly, if you get a TLSv1.2 connection, its still logged as SSLv3 (there is lack of printable enums in the OpenSSL code. I looked at my negotiation with wireshark and saw that I got TLSv1.2 despite what the debug trace said.

RE: openssl SSL3 vulnerability

2014-10-24 Thread mclellan, dave
- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Erik Forsberg Sent: Friday, October 24, 2014 12:46 PM To: openssl-users@openssl.org Subject: Re: openssl SSL3 vulnerability That triggers my memory. I saw this too a long time ago, if I recall correctly

Re: openssl SSL3 vulnerability

2014-10-24 Thread Jeffrey Walton
On Fri, Oct 24, 2014 at 12:51 PM, mclellan, dave dave.mclel...@emc.com wrote: ... The reason I questioned my own setup, and piggy-backed on Pradeep’s first post was this: I expected to see “TLS” when such a protocol is chosen. There is a case where I specifically see TLSv1.2 in the cipher

Re: openssl SSL3 vulnerability

2014-10-24 Thread Jay Foster
-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Erik Forsberg Sent: Friday, October 24, 2014 12:46 PM To: openssl-users@openssl.org Subject: Re: openssl SSL3 vulnerability That triggers my memory. I saw this too a long time ago, if I recall correctly, if you get

RE: openssl SSL3 vulnerability

2014-10-24 Thread Pradeep Gudepu
option to copy as text. Thanks – Pradeep Reddy. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jay Foster Sent: Friday, October 24, 2014 11:13 PM To: openssl-users@openssl.org Subject: Re: openssl SSL3 vulnerability There seems to be a difference

Re: openssl SSL3 vulnerability

2014-10-24 Thread Matt Caswell
On 24/10/14 11:12, Pradeep Gudepu wrote: But in logs, I still see, client and server are negotiated with SSLv3. SSLConfig::Init: SSL initiated (OpenSSL 1.0.1j 15 Oct 2014 built on: Fri Oct 24 07:44:36 2014). SSLSocket::Callback: Handshake done: AES256-SHA SSLv3 Kx=RSA