On 19/08/2015 16:37, Salz, Rich wrote:
Try this as a starting point:
https://security.ias.edu/poodle-and-beast-isnt-love-story-sslv3-cipher-vulnerability
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-us
Try this as a starting point:
https://security.ias.edu/poodle-and-beast-isnt-love-story-sslv3-cipher-vulnerability
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> What about 3DES with appropriate IV, downgrade and replay
> countermeasures, what exactly is wrong with those ciphers that is beyond
> salvage?(By salvage I mean significantly better than plain text when talking
> to
> clients that don't support anything more modern, such as certain Microsoft
>
Thanks for your comments - much appreciated. What is exactly the "poodle
patch" and how doe sit come into providing some form of protection against
the BEAST attack ?
--
View this message in context:
http://openssl.6102.n7.nabble.com/BEAST-and-SSL-OP-DONT-INSERT-EMPTY-FRAGMENTS-tp59291p59743.
On 19/08/2015 00:26, Salz, Rich wrote:
There are *no* secure SSLv3 ciphers. If you need to support it (for legacy clients),
then best you can do is use the "poodle patch," the SCSV indicator which will
at least prevents clients that are capable of more from being downgraded.
What about 3DES
There are *no* secure SSLv3 ciphers. If you need to support it (for legacy
clients), then best you can do is use the "poodle patch," the SCSV indicator
which will at least prevents clients that are capable of more from being
downgraded.
___
openssl-
On 18/08/2015 23:06, jonetsu wrote:
OK. So this means that the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is not the
solution for the BEAST attack. Is there a solution while keeping TLS 1.0
and SSL v3.0 ?
Thanks.
The solution is NOT setting
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS and hoping the other
end
OK. So this means that the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is not the
solution for the BEAST attack. Is there a solution while keeping TLS 1.0
and SSL v3.0 ?
Thanks.
--
View this message in context:
http://openssl.6102.n7.nabble.com/BEAST-and-SSL-OP-DONT-INSERT-EMPTY-FRAGMENTS-tp59291p59
> Does this mean, since the 'no insert fragments' is part of SSL_OP_ALL, that
> OpenSSL is BEAST-proof since some time regarding it's use of TLS 1.0 and SSL
> 3.0 ?
No.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listin
Does this mean, since the 'no insert fragments' is part of SSL_OP_ALL, that
OpenSSL is BEAST-proof since some time regarding it's use of TLS 1.0 and SSL
3.0 ?
Thanks.
--
View this message in context:
http://openssl.6102.n7.nabble.com/BEAST-and-SSL-OP-DONT-INSERT-EMPTY-FRAGMENTS-tp59291p59732.
On 22/07/2015 14:12, jonetsu wrote:
Hello,
Our Nessus version 6.4.1 is detecting a BEAST vulnerability against OpenSSL
1.0.1e. The source code defines SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS as
0x0800L and several tests are made for this value in the code. The CHANGES
mentions though that
Hello,
Our Nessus version 6.4.1 is detecting a BEAST vulnerability against OpenSSL
1.0.1e. The source code defines SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS as
0x0800L and several tests are made for this value in the code. The CHANGES
mentions though that this had some side effects, the option
12 matches
Mail list logo
