Stitched vs non-Stitched Ciphersuites

Matt Caswell matt at openssl.org
Wed Feb 27 17:06:35 UTC 2019



On 27/02/2019 16:47, Michael Wojcik wrote:
>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
>> Of Sam Roberts Sent: Wednesday, February 27, 2019 11:33
>> 
>> Even though this is fixed, would the general advice still be "avoid CBC in
>> favour of AESCCM and AESGCM when using TLS1.2"? Or update to TLS1.3.
> 
> The general advice is to avoid CBC mode where possible, full stop. Too many
> deployed implementations are still vulnerable to one form or another of
> padding-oracle attacks. Unless you control both ends of the conversation, you
> can't guarantee the peer isn't vulnerable.
> 
> Frankly, this latest vulnerability in OpenSSL 1.0.2 feels pretty minor in
> that regard, since it depends on two different (if related) behaviors by the
> application to be vulnerable. The application has to incorrectly attempt a
> second SSL_shutdown if the first one fails (it should only do the second if
> the first succeeds),

This is not quite correct. It requires you to incorrectly call SSL_shutdown()
twice (once to send a close_notify, and once to receive one) having previously
encountered a fatal error.

For example if you call SSL_read() which returns <=0 and SSL_get_error() returns
SSL_ERROR_SYSCALL or SSL_ERROR_SSL then a fatal error has occurred. You should
*not* then attempt to call SSL_shutdown().

Matt


More information about the openssl-users mailing list