RE: openssl SSL3 vulnerability

mclellan, dave Fri, 24 Oct 2014 10:19:25 -0700

The plot thickens, but our mails must be crossing.   I do indeed see TLSV1.2 in 
that message, but if and only if a much more restrictive set of ciphers is 
specified.  That's why I was questioning the appearance of SSLv3 in other 
cases, despite the case that I had set the options to disable SSLv3.


+-+-+-+-+-+-+-+-+- 
Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176 
South St.
Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
Office:    508-249-1257, FAX: 508-497-8027, Mobile:   978-500-2546, 
dave.mclel...@emc.com
+-+-+-+-+-+-+-+-+-


-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Erik Forsberg
Sent: Friday, October 24, 2014 12:46 PM
To: openssl-users@openssl.org
Subject: Re: openssl SSL3 vulnerability

That triggers my memory. I saw this too a long time ago, if I recall correctly, 
if you get a TLSv1.2 connection, its still logged as SSLv3 (there is lack of 
printable enums in the OpenSSL code. I looked at my negotiation with wireshark 
and saw that I got TLSv1.2 despite what the debug trace said.

I hope this could be fixed one day ?

>-- Original Message --
>
>On 24/10/2014 15:53, Pradeep Gudepu wrote:
>> To my earlier code, I have added these extra flags for client:
>>
>> SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | 
>> SSL_OP_NO_SSLv3);
>>
>> And server also has these same flags set, so that no way client and server 
>> can communicate on sslv2, sslv3.
>>
>> But again in logs I see SSL3 is negotiated:
>>
>> [2014-10-24 18:00:17.063, Info      <     proxysrv:10684>] SSLConfig::Init: 
>> SSL initiated (OpenSSL 1.0.1j 15 Oct 2014 built on: Mon Oct 20 15:08:32 
>> 2014).
>> [2014-10-24 18:02:11.640, Info      <     proxysrv:10684>] 
>> SSLSocket::Callback: Handshake done: AES256-SHA              SSLv3 Kx=RSA    
>>   Au=RSA  Enc=AES(256)  Mac=SHA1
>Does this really mean "SSLv3.0 protocol negotiated"?
>
>Or does it just mean "SSLv3.x" (which includes TLSv1.x)?
>
>Or perhaps "SSLv3 compatible cipher suite" (which also includes TLSv1.x)?
>>
>> On server, I have these ciphers set:
>>
>> ::SSL_CTX_set_cipher_list(ctx, 
>> "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM");
>>
>> Is there something wrong with these ciphers? What are best cipher argument 
>> for only TLSv1 communication. I think, I need not set ciphers on client side.
>>
>> Thanks – Pradeep reddy.
>
>Enjoy
>
>Jakob
>--
>Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com 
>Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10 This 
>public discussion message is non-binding and may contain errors.
>WiseMo - Remote Service Management for PCs, Phones and Embedded
>


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
:��I"Ϯ��r�m����
(����Z+�K�+����1���x��h����[�z�(����Z+���f�y�������f���h��)z{,���

RE: openssl SSL3 vulnerability

Reply via email to