[openssl-users] Bleichenbacher Vulnerability
Hanno Böck
hanno at hboeck.de
Wed Dec 20 11:13:12 UTC 2017
Hi,
On Wed, 20 Dec 2017 11:51:39 +0530
haris iqbal <haris.phnx at gmail.com> wrote:
> I was wondering when exactly (the version) was the OpenSSL library
> patched for the Bleichenbacher Vulnerability?
It was probably fixed some time in the late 90s. However according to
https://www.openssl.org/news/changelog.html
the countermeasures were accidentally removed in some 0.9.6 version.
However there also was a 2012/2013 timing version of the attack fixed
here:
https://github.com/openssl/openssl/commit/adb46dbc6dd7347750df2468c93e8c34bcb93a4b
We also observed some old Openssl 0.9.8g crashing when we ran
bleichenbacher scans against it, but we haven't entirely analyzed this.
> Wanted to know this, since my custom application uses an older version
> of OpenSSL, and I wanted to be sure that it is not affected.
Don't do this. Switch to a supported version. There's no way you will
plausibly keep this secure. Bleichenbacher attacks may be the least of
your worries.
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno at hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
More information about the openssl-users
mailing list