[openssl-users] CVE-2014- and OpenSSL?
Matt Caswell
matt at openssl.org
Tue Dec 9 16:00:18 EST 2014
On 09/12/14 20:30, Arthur Tsang wrote:
> Hi Rich,
>
> do we have some formal announcement that openssl is not vulnerable for
> POODLE in TLS? or can you explain why Openssl is not affected? if
> symantec is issuing notification like that, i guess, a lot of
> management will demand explanations. Thanks,
>
>
Adam Langley's post provides a good explanation of this problem:
https://www.imperialviolet.org/2014/12/08/poodleagain.html
The specification of SSLv3 did not specify the format of padding bytes
to be used when encrypting data. This led to an oracle attack.
TLS on the other hand *does* specify this, and therefore (if you
implement it correctly) is not vulnerable to this oracle attack. A TLS
library needs to check the padding bytes are correctly formatted and
fail if not. The problem is that it is possible to implement a TLS
library and still use the SSLv3 decryption routines when working with
TLS (i.e. don't check the padding bytes). This *will* work, although it
is not compliant with the spec. If you fail to check the padding bytes
then your TLS implementation is vulnerable to the same POODLE oracle attack.
I can confirm that OpenSSL is compliant with the spec and *does* check
the padding bytes. It is therefore is not vulnerable to this issue.
Matt
More information about the openssl-users
mailing list