Am 20.09.2011 13:19, schrieb Hanno Böck:
It seems some rumors are spreading about an attack presented later this week against sslv3/tlsv1.0: http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ Whatever this attack looks like in detail, all news one can find at the moment suggest that only sslv3/tls 1.0 is affected and going to tls 1.1 or 1.2 should fix it. AFAIK, openssl current release 1.0.0 has no tls 1.2, but the planned openssl 1.0.1 should have. Which leads to the question: Is there a planned timeline for a 1.0.1 release and could this be accelerated if the issue turns out to be serious?
Please read http://www.openssl.org/~bodo/tls-cbc.txt, problem #2. You then see that the problem is already addressed in OpenSSL 0.9.6d, over seven years ago. See also http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.61.5887&rep=rep1&type=pdf, section 6, subsection "OpenSSL and the Empty Message".
Ciao, Richard Könning ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org