[openssl-users] Bleichenbacher Vulnerability

Hanno Böck hanno at hboeck.de
Wed Dec 20 11:13:12 UTC 2017


Hi,

On Wed, 20 Dec 2017 11:51:39 +0530
haris iqbal <haris.phnx at gmail.com> wrote:

> I was wondering when exactly (the version) was the OpenSSL library
> patched for the Bleichenbacher Vulnerability?

It was probably fixed some time in the late 90s. However according to
https://www.openssl.org/news/changelog.html

the countermeasures were accidentally removed in some 0.9.6 version.

However there also was a 2012/2013 timing version of the attack fixed
here:
https://github.com/openssl/openssl/commit/adb46dbc6dd7347750df2468c93e8c34bcb93a4b

We also observed some old Openssl 0.9.8g crashing when we ran
bleichenbacher scans against it, but we haven't entirely analyzed this.

> Wanted to know this, since my custom application uses an older version
> of OpenSSL, and I wanted to be sure that it is not affected.

Don't do this. Switch to a supported version. There's no way you will
plausibly keep this secure. Bleichenbacher attacks may be the least of
your worries.



-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42


More information about the openssl-users mailing list