countermeasure against a vulnerability in CBC ciphersuites
Hi there,
This is debian stable (woody) openssl_0.9.6c-2.woody.4. I need to find
out the folowing. This is from debian's changelog:
,----
| openssl (0.9.6c-2.woody.0) stable-security; urgency=low
|
| * SECURITY: patch for various overflows (upstream security patch
| 0.9.6d->0.9.6e)
|
| -- Michael Stone <mstone@debian.org> Mon, 29 Jul 2002 21:34:41 -0400
`----
I tried, but failed to identify if these specific changes:
,----
| Changes between 0.9.6d and 0.9.6e [30 Jul 2002]
|
| *) New option
| SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
| for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
| that was added in OpenSSL 0.9.6d.
|
| Changes between 0.9.6c and 0.9.6d [9 May 2002]
|
| *) Implement a countermeasure against a vulnerability recently found
| in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
| before application data chunks to avoid the use of known IVs
| with data potentially chosen by the attacker.
| [Bodo Moeller]
`----
are part of the patch mentioned above. Can anyone help me out?
Cheers,
Cristian
--
Real men don't click.
Reply to: