Composition of DES_CBC_SHA

Mark Hack markhack at markhack.com
Sun Mar 19 17:30:22 UTC 2023


Also POODLE - Padding Oracle on Downgrade to LEgacy, is a two part
attack.

Padding Oracle attacks on SSLv3 are well known BUT a large number of
people assumed if you offered higher levels of TLS that you could avoid
this unless a legacy client, which used only SSLv3, attached.

The POODLE attack showed clearly that you could force a downgrade to
legacy SSLv3 so just supporting it opened you to PO attacks.

As Victor has pointed out, this is two fragments of 
0x18 + 0x28 = 0x40 or 64 decimal which is indeed a multiple of 8.



Regards
Mark Hack


On Sun, 2023-03-19 at 12:41 -0400, Viktor Dukhovni wrote:
> On Sun, Mar 19, 2023 at 03:09:47PM +0000, Ren Yanyu wrote:
> 
> > I use SSL_write(ssl, buf, len) send the data to a memory BIO and
> > read
> > the encrypted message. For example, one of the message reads:
>                                       ---
>                                      [two]
> 
> > 17 03 00 00 18
> >       ab d0 3c ae 20 f5 f8 ad dd 92 06 83 32 bd fa 6a
> >       02 44 5d ec 7b 6d 0c 2b
> > 17 03 00 00 28
> >       66 45 37 06 e6 86 3e d2 cc 77 c1 0b 45 dd 96 0c
> >       c3 7c 23 8e ea 72 fa a6 f0 67 74 28 38 ae 37 23
> >       92 b8 07 96 ce 0f d3 ea
> 
> You're confusing TCP segments with TLS records.  A single TCP segment
> can carry more than one TCL record (or fewer, if the record is longer
> than the TCP MSS, or is the last fragment of a long record).
> 



More information about the openssl-users mailing list