[openssl-users] Bleichenbacher Vulnerability
hanno at hboeck.de
Wed Dec 20 11:13:12 UTC 2017
On Wed, 20 Dec 2017 11:51:39 +0530
haris iqbal <haris.phnx at gmail.com> wrote:
> I was wondering when exactly (the version) was the OpenSSL library
> patched for the Bleichenbacher Vulnerability?
It was probably fixed some time in the late 90s. However according to
the countermeasures were accidentally removed in some 0.9.6 version.
However there also was a 2012/2013 timing version of the attack fixed
We also observed some old Openssl 0.9.8g crashing when we ran
bleichenbacher scans against it, but we haven't entirely analyzed this.
> Wanted to know this, since my custom application uses an older version
> of OpenSSL, and I wanted to be sure that it is not affected.
Don't do this. Switch to a supported version. There's no way you will
plausibly keep this secure. Bleichenbacher attacks may be the least of
mail/jabber: hanno at hboeck.de
More information about the openssl-users