[openssl-users] Bleichenbacher Vulnerability

[Bodo Moeller]

Hanno Böck <hanno at hboeck.de>:

> I was wondering when exactly (the version) was the OpenSSL library
> > patched for the Bleichenbacher Vulnerability?
>


> It was probably fixed some time in the late 90s. However according to
> https://www.openssl.org/news/changelog.html
>
> the countermeasures were accidentally removed in some 0.9.6 version.
>

The original countermeasure had been present back in SSLeay, but it also
had never actually worked at all until I accidentally removed it from
s3_srvr.c in 0.9.5 (not 0.9.6) and put it back in 0.9.6g with a fix. The
original implementation would have generated a randomized master secret but
then still ended the handshake with an error alert, thus achieving nothing.
The main takeaway from that is that good source code comments are
invaluable, because reverse-engineering the intentions underlying the code
can be particularly hard if said code doesn't actually do what it's
intended to do :-)

Of course, in the end the 0.9.6g fix didn't achieve too much (other than
adding a source code explaining what that randomization was all about),
because the RFC 2246 countermeasure was still subject to the
Klíma-Pokorný-Rosa attack discovered later (and first addressed in 0.9.6j).
And of course, as you've already pointed out, that still left timing
attacks.

> Wanted to know this, since my custom application uses an older version
> > of OpenSSL, and I wanted to be sure that it is not affected.
>


> Don't do this. Switch to a supported version. There's no way you will
> plausibly keep this secure. Bleichenbacher attacks may be the least of
> your worries.


I completed agree. If you're using an "older version of OpenSSL", likely
it's subject to a few vulnerabilities with and without logos, and thus is
not what you should be running today.

Bodo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171220/1c341a19/attachment-0001.html>