[openssl-users] Bleichenbacher Vulnerability

Hanno Böck hanno at hboeck.de
Wed Dec 20 11:13:12 UTC 2017


On Wed, 20 Dec 2017 11:51:39 +0530
haris iqbal <haris.phnx at gmail.com> wrote:

> I was wondering when exactly (the version) was the OpenSSL library
> patched for the Bleichenbacher Vulnerability?

It was probably fixed some time in the late 90s. However according to

the countermeasures were accidentally removed in some 0.9.6 version.

However there also was a 2012/2013 timing version of the attack fixed

We also observed some old Openssl 0.9.8g crashing when we ran
bleichenbacher scans against it, but we haven't entirely analyzed this.

> Wanted to know this, since my custom application uses an older version
> of OpenSSL, and I wanted to be sure that it is not affected.

Don't do this. Switch to a supported version. There's no way you will
plausibly keep this secure. Bleichenbacher attacks may be the least of
your worries.

Hanno Böck

mail/jabber: hanno at hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

More information about the openssl-users mailing list