[openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

Jakob Bohm jb-openssl at wisemo.com
Wed Aug 19 09:06:30 UTC 2015


On 19/08/2015 00:26, Salz, Rich wrote:
> There are *no* secure SSLv3 ciphers.  If you need to support it (for legacy clients), then best you can do is use the "poodle patch," the SCSV indicator which will at least prevents clients that are capable of more from being downgraded.

What about 3DES with appropriate IV, downgrade and
replay countermeasures, what exactly is wrong with
those ciphers that is beyond salvage?(By salvage
I mean significantly better than plain text when
talking to clients that don't support anything more
modern, such as certain Microsoft systems).

Specifically:

If the SSL library aborts session on first bad
decryption, the adversary gets only one use of the
padding oracle per key.  Shouldn't this kill off
those attacks.

With 1/n-1 or 0/n splitting, the predictable IV
issue should be reasonably mitigated.(Hence the
prior discussion of the need to not disable thatvia
SSL_OP_ALL).

With export-RSA and export-DH properly disabled,
attempts to downgrade to 40/56 bit symmetric keys
should be detected, or is there a bug in the way
strong RSA/DSA keys are used to authenticate the
negotiation that would allow a downgradeto
downgrade its own check?

With SCSV handling enabled, shouldn't that prevent
downgrade-via-browser-retry attacks (Poodle)?
Except of cause with browsers that lack the feature.

Which attack scenario did I forget?

Of cause it is more safe to insist that everybody
else uses only TLS 1.2 with ECDH, AES and SHA-2,
but I think that wold rule out too many clients
in practice.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



More information about the openssl-users mailing list