RE: openssl SSL3 vulnerability

2014-10-28 Thread Pradeep Gudepu
ssl-us...@openssl.org<mailto:owner-openssl-us...@openssl.org> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jay Foster Sent: Friday, October 24, 2014 1:43 PM To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> Subject: Re: openssl SSL3 vulnerability There seems to be a

RE: openssl SSL3 vulnerability

2014-10-27 Thread mclellan, dave
...@openssl.org] On Behalf Of Jay Foster Sent: Friday, October 24, 2014 1:43 PM To: openssl-users@openssl.org Subject: Re: openssl SSL3 vulnerability There seems to be a difference between the SSL (protocol) version and the Cipher version/description. You might try the following debug code to clarify

Re: openssl SSL3 vulnerability

2014-10-25 Thread Florian Weimer
* Pradeep Gudepu: > if(server) > //method = ::SSLv23_server_method(); > method = ::TLSv1_server_method(); > else > //method = ::SSLv23_client_method(); > method = ::TLSv1_client_method(); This is wrong, it prevents the use of TLS 1.1 and TLS 1.2.

Re: openssl SSL3 vulnerability

2014-10-24 Thread Matt Caswell
On 24/10/14 11:12, Pradeep Gudepu wrote: > But in logs, I still see, client and server are negotiated with SSLv3. > > > > SSLConfig::Init: SSL initiated (OpenSSL 1.0.1j 15 Oct 2014 built on: Fri > Oct 24 07:44:36 2014). > > SSLSocket::Callback: Handshake done: AES256-SHA SSLv3 >

RE: openssl SSL3 vulnerability

2014-10-24 Thread Pradeep Gudepu
option to copy as text. Thanks – Pradeep Reddy. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jay Foster Sent: Friday, October 24, 2014 11:13 PM To: openssl-users@openssl.org Subject: Re: openssl SSL3 vulnerability There seems to be a difference

Re: openssl SSL3 vulnerability

2014-10-24 Thread Jay Foster
-+-+-+-+-+- -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Erik Forsberg Sent: Friday, October 24, 2014 12:46 PM To: openssl-users@openssl.org Subject: Re: openssl SSL3 vulnerability That triggers my memory. I saw this too a

Re: openssl SSL3 vulnerability

2014-10-24 Thread Jeffrey Walton
On Fri, Oct 24, 2014 at 12:51 PM, mclellan, dave wrote: > ... > > The reason I questioned my own setup, and piggy-backed on Pradeep’s first > post was this: I expected to see “TLS” when such a protocol is chosen. > There is a case where I specifically see TLSv1.2 in the cipher text string > simi

RE: openssl SSL3 vulnerability

2014-10-24 Thread mclellan, dave
ssage- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Erik Forsberg Sent: Friday, October 24, 2014 12:46 PM To: openssl-users@openssl.org Subject: Re: openssl SSL3 vulnerability That triggers my memory. I saw this too a long time ago, if I recall correctly

Re: openssl SSL3 vulnerability

2014-10-24 Thread Erik Forsberg
That triggers my memory. I saw this too a long time ago, if I recall correctly, if you get a TLSv1.2 connection, its still logged as SSLv3 (there is lack of printable enums in the OpenSSL code. I looked at my negotiation with wireshark and saw that I got TLSv1.2 despite what the debug trace said.

RE: openssl SSL3 vulnerability

2014-10-24 Thread mclellan, dave
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: Friday, October 24, 2014 12:37 PM To: openssl-users@openssl.org Subject: Re: openssl SSL3 vulnerability On 24/10/2014 15:53, Pradeep Gudepu wrote: To my earlier code, I have added these ex

Re: openssl SSL3 vulnerability

2014-10-24 Thread Jakob Bohm
On 24/10/2014 15:53, Pradeep Gudepu wrote: To my earlier code, I have added these extra flags for client: SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); And server also has these same flags set, so that no way client and server can communicate on sslv2, sslv3. But a

RE: openssl SSL3 vulnerability

2014-10-24 Thread Michael Wojcik
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Jeffrey Walton > Sent: Friday, 24 October, 2014 10:26 > To: OpenSSL Users List > Subject: Re: openssl SSL3 vulnerability > > On Fri, Oct 24, 2014 at 9:53 AM, Michael Wojcik >

Re: openssl SSL3 vulnerability

2014-10-24 Thread Jeffrey Walton
On Fri, Oct 24, 2014 at 9:53 AM, Michael Wojcik wrote: >> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- >> us...@openssl.org] On Behalf Of Jeffrey Walton >> Sent: Friday, 24 October, 2014 09:42 >> To: OpenSSL Users List >> Subject: Re: openssl SSL3 v

RE: openssl SSL3 vulnerability

2014-10-24 Thread mclellan, dave
-2546, dave.mclel...@emc.com +-+-+-+-+-+-+-+-+- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Michael Wojcik Sent: Friday, October 24, 2014 9:30 AM To: openssl-users@openssl.org Subject: RE: openssl SSL3 vulnerability You have "SSL_OP_NO_

RE: openssl SSL3 vulnerability

2014-10-24 Thread Pradeep Gudepu
eed not set ciphers on client side. Thanks – Pradeep reddy. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Friday, October 24, 2014 7:12 PM To: OpenSSL Users List Subject: Re: openssl SSL3 vulnerability On Fri

RE: openssl SSL3 vulnerability

2014-10-24 Thread Michael Wojcik
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Jeffrey Walton > Sent: Friday, 24 October, 2014 09:42 > To: OpenSSL Users List > Subject: Re: openssl SSL3 vulnerability > > On Fri, Oct 24, 2014 at 9:30 AM, Michael Wojcik &

Re: openssl SSL3 vulnerability

2014-10-24 Thread Jeffrey Walton
On Fri, Oct 24, 2014 at 9:30 AM, Michael Wojcik wrote: > You have "SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv2" there. I assume "v2 ... v2" is > a typo, but if that's what your code actually has, then that's the problem. > (Assuming there isn't some other problem, of course.) > That's actually correct in th

RE: openssl SSL3 vulnerability

2014-10-24 Thread Michael Wojcik
om: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of mclellan, dave Sent: Friday, 24 October, 2014 09:06 To: openssl-users@openssl.org Subject: RE: openssl SSL3 vulnerability If that's the case (Jeffrey has "not observed the behavior") th

RE: openssl SSL3 vulnerability

2014-10-24 Thread mclellan, dave
46, dave.mclel...@emc.com +-+-+-+-+-+-+-+-+- -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Friday, October 24, 2014 8:42 AM To: OpenSSL Users List Subject: Re: openssl SSL3 vulnerability On Fri, Oct 24,

Re: openssl SSL3 vulnerability

2014-10-24 Thread Jeffrey Walton
On Fri, Oct 24, 2014 at 7:15 AM, mclellan, dave wrote: > I have also had this same experience (1.0.1i) with SSLv3 being negotiated > though I used the SSL_OP_NO_SSLv3 flag on the SSL_set_options call. (I have > NOT re-built with SSLv3 disabled). > If that's the case, then a security related defec

RE: openssl SSL3 vulnerability

2014-10-24 Thread mclellan, dave
sl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Pradeep Gudepu Sent: Friday, October 24, 2014 6:13 AM To: openssl-users@openssl.org Subject: openssl SSL3 vulnerability Hi, To Get rid of openssl SSL3 Poodle bug, I upgraded from openssl 1.0.1g to 1.0.1j. Also Compiled openssl sources

openssl SSL3 vulnerability

2014-10-24 Thread Pradeep Gudepu
Hi, To Get rid of openssl SSL3 Poodle bug, I upgraded from openssl 1.0.1g to 1.0.1j. Also Compiled openssl sources with no-ssl2 no-ssl3, so that only TLSv1 works in client server application. On top of this, in my SSL config code, I added following code to create context. if(server)