...@openssl.orgmailto:owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Jay Foster
Sent: Friday, October 24, 2014 1:43 PM
To: openssl-users@openssl.orgmailto:openssl-users@openssl.org
Subject: Re: openssl SSL3 vulnerability
There seems to be a difference between
...@openssl.org]
On Behalf Of Jay Foster
Sent: Friday, October 24, 2014 1:43 PM
To: openssl-users@openssl.org
Subject: Re: openssl SSL3 vulnerability
There seems to be a difference between the SSL (protocol) version and the
Cipher version/description. You might try the following debug code to clarify
* Pradeep Gudepu:
if(server)
//method = ::SSLv23_server_method();
method = ::TLSv1_server_method();
else
//method = ::SSLv23_client_method();
method = ::TLSv1_client_method();
This is wrong, it prevents the use of TLS 1.1 and TLS 1.2.
Hi,
To Get rid of openssl SSL3 Poodle bug, I upgraded from openssl 1.0.1g to
1.0.1j. Also Compiled openssl sources with no-ssl2 no-ssl3, so that only TLSv1
works in client server application.
On top of this, in my SSL config code, I added following code to create context.
if(server)
-openssl-us...@openssl.org]
On Behalf Of Pradeep Gudepu
Sent: Friday, October 24, 2014 6:13 AM
To: openssl-users@openssl.org
Subject: openssl SSL3 vulnerability
Hi,
To Get rid of openssl SSL3 Poodle bug, I upgraded from openssl 1.0.1g to
1.0.1j. Also Compiled openssl sources with no-ssl2 no-ssl3
On Fri, Oct 24, 2014 at 7:15 AM, mclellan, dave dave.mclel...@emc.com wrote:
I have also had this same experience (1.0.1i) with SSLv3 being negotiated
though I used the SSL_OP_NO_SSLv3 flag on the SSL_set_options call. (I have
NOT re-built with SSLv3 disabled).
If that's the case, then a
...@emc.com
+-+-+-+-+-+-+-+-+-
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Jeffrey Walton
Sent: Friday, October 24, 2014 8:42 AM
To: OpenSSL Users List
Subject: Re: openssl SSL3 vulnerability
On Fri, Oct 24, 2014 at 7:15 AM
[mailto:owner-openssl-us...@openssl.org]
On Behalf Of mclellan, dave
Sent: Friday, 24 October, 2014 09:06
To: openssl-users@openssl.org
Subject: RE: openssl SSL3 vulnerability
If that's the case (Jeffrey has not observed the behavior) then I have done
something wrong, which has been my suspicion
On Fri, Oct 24, 2014 at 9:30 AM, Michael Wojcik
michael.woj...@microfocus.com wrote:
You have SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv2 there. I assume v2 ... v2 is
a typo, but if that's what your code actually has, then that's the problem.
(Assuming there isn't some other problem, of course.)
That's
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Jeffrey Walton
Sent: Friday, 24 October, 2014 09:42
To: OpenSSL Users List
Subject: Re: openssl SSL3 vulnerability
On Fri, Oct 24, 2014 at 9:30 AM, Michael Wojcik
michael.woj...@microfocus.com
.
Thanks – Pradeep reddy.
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Jeffrey Walton
Sent: Friday, October 24, 2014 7:12 PM
To: OpenSSL Users List
Subject: Re: openssl SSL3 vulnerability
On Fri, Oct 24, 2014 at 9:30 AM
: 978-500-2546,
dave.mclel...@emc.com
+-+-+-+-+-+-+-+-+-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Michael Wojcik
Sent: Friday, October 24, 2014 9:30 AM
To: openssl-users@openssl.org
Subject: RE: openssl SSL3 vulnerability
You have
On Fri, Oct 24, 2014 at 9:53 AM, Michael Wojcik
michael.woj...@microfocus.com wrote:
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Jeffrey Walton
Sent: Friday, 24 October, 2014 09:42
To: OpenSSL Users List
Subject: Re: openssl SSL3 vulnerability
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Jeffrey Walton
Sent: Friday, 24 October, 2014 10:26
To: OpenSSL Users List
Subject: Re: openssl SSL3 vulnerability
On Fri, Oct 24, 2014 at 9:53 AM, Michael Wojcik
michael.woj...@microfocus.com
On 24/10/2014 15:53, Pradeep Gudepu wrote:
To my earlier code, I have added these extra flags for client:
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
And server also has these same flags set, so that no way client and server can
communicate on sslv2, sslv3.
But
...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Jakob Bohm
Sent: Friday, October 24, 2014 12:37 PM
To: openssl-users@openssl.org
Subject: Re: openssl SSL3 vulnerability
On 24/10/2014 15:53, Pradeep Gudepu wrote:
To my earlier code, I have added these extra flags for client
That triggers my memory. I saw this too a long time ago, if I recall correctly,
if you get a TLSv1.2 connection, its still logged as SSLv3 (there is lack of
printable enums in the OpenSSL code. I looked at my negotiation with wireshark
and saw that I got TLSv1.2 despite what the debug trace said.
-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Erik Forsberg
Sent: Friday, October 24, 2014 12:46 PM
To: openssl-users@openssl.org
Subject: Re: openssl SSL3 vulnerability
That triggers my memory. I saw this too a long time ago, if I recall correctly
On Fri, Oct 24, 2014 at 12:51 PM, mclellan, dave dave.mclel...@emc.com wrote:
...
The reason I questioned my own setup, and piggy-backed on Pradeep’s first
post was this: I expected to see “TLS” when such a protocol is chosen.
There is a case where I specifically see TLSv1.2 in the cipher
-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Erik Forsberg
Sent: Friday, October 24, 2014 12:46 PM
To: openssl-users@openssl.org
Subject: Re: openssl SSL3 vulnerability
That triggers my memory. I saw this too a long time ago, if I recall correctly,
if you get
option to copy as text.
Thanks – Pradeep Reddy.
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Jay Foster
Sent: Friday, October 24, 2014 11:13 PM
To: openssl-users@openssl.org
Subject: Re: openssl SSL3 vulnerability
There seems to be a difference
On 24/10/14 11:12, Pradeep Gudepu wrote:
But in logs, I still see, client and server are negotiated with SSLv3.
SSLConfig::Init: SSL initiated (OpenSSL 1.0.1j 15 Oct 2014 built on: Fri
Oct 24 07:44:36 2014).
SSLSocket::Callback: Handshake done: AES256-SHA SSLv3
Kx=RSA
22 matches
Mail list logo