[openssl-users] Bleichenbacher Vulnerability

M K Saravanan mksarav at gmail.com
Wed Dec 20 06:45:57 UTC 2017

On 20 December 2017 at 14:21, haris iqbal <haris.phnx at gmail.com> wrote:
> Wanted to know this, since my custom application uses an older version
> of OpenSSL, and I wanted to be sure that it is not affected.

Not answering your original question.  But you can test it using one
of the following tools:

The following tools have checks that will cover ROBOT:

testssl.sh has a test closely modelled after our own one. A snapshot
is available, it's not yet part of a release. It also supports SNI and
STARTTLS, which our test does not.

TLS-Attacker already contained Bleichenbacher checks before our
research, version 2.2 was extended with additional checks to cover all
ROBOT variations.

SSLLabs has added a check in their development version.

Tripwire IP360 added detection for vulnerable F5 devices in ASPL-753
which was released in coordination with F5's public advisory. Generic
detection of Bleichenbacher oracles will be released in coordination
with this publication.

tlsfuzzer has an extensive test script for Bleichenbacher vulns,
though it will also complain about misbehaving servers that are not
necessarily vulnerable.

SSLyze added support for ROBOT detection after our disclosure.
Ref: https://robotattack.org/

-- mks --

More information about the openssl-users mailing list