countermeasure against a vulnerability in CBC ciphersuites

To: debian-security@lists.debian.org
Subject: countermeasure against a vulnerability in CBC ciphersuites
From: Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>
Date: Wed, 5 Nov 2003 21:25:05 +0100 (CET)
Message-id: <[🔎] 0311052115070.3191@somehost>
Reply-to: Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>

Hi there,

This is debian stable (woody) openssl_0.9.6c-2.woody.4. I need to find
out the folowing. This is from debian's changelog:

,----
| openssl (0.9.6c-2.woody.0) stable-security; urgency=low
|
|   * SECURITY: patch for various overflows (upstream security patch
|     0.9.6d->0.9.6e)
|
|  -- Michael Stone <mstone@debian.org>  Mon, 29 Jul 2002 21:34:41 -0400
`----

I tried, but failed to identify if these specific changes:

,----
| Changes between 0.9.6d and 0.9.6e  [30 Jul 2002]
|
|  *) New option
|          SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
|     for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
|     that was added in OpenSSL 0.9.6d.
|
| Changes between 0.9.6c and 0.9.6d  [9 May 2002]
|
|  *) Implement a countermeasure against a vulnerability recently found
|     in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
|     before application data chunks to avoid the use of known IVs
|     with data potentially chosen by the attacker.
|     [Bodo Moeller]
`----

are part of the patch mentioned above. Can anyone help me out?


Cheers,
Cristian

-- 
Real men don't click.

Reply to:

Prev by Date: Re: certificate server
Next by Date: Re: certificate server (ejbca)
Previous by thread: Re: certificate server (ejbca)
Next by thread: Tercer estudio del segmento de desarrollo de software y/o sistemas en América Latina
Index(es):
- Date
- Thread