Richard Könning wrote:
> Am 20.09.2011 13:19, schrieb Hanno Böck:
>> It seems some rumors are spreading about an attack presented later this
>> week against sslv3/tlsv1.0:
>> Whatever this attack looks like in detail, all news one can find at the
>> moment suggest that only sslv3/tls 1.0 is affected and going to tls
>> 1.1 or 1.2 should fix it.
>> AFAIK, openssl current release 1.0.0 has no tls 1.2, but the
>> planned openssl 1.0.1 should have.
>> Which leads to the question: Is there a planned timeline for a 1.0.1
>> release and could this be accelerated if the issue turns out to be
> Please read http://www.openssl.org/~bodo/tls-cbc.txt, problem #2. You then
> see that the problem is already addressed in OpenSSL 0.9.6d, over seven years
> ago. See also
> section 6, subsection "OpenSSL and the Empty Message".
Unfortunately SSL_OP_ALL includes SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS and
many applications set SSL_OP_ALL. So I guess in practice the workaround
is not widely used.
Does anyone know if there are still 'some broken SSL/TLS
implementations' out there that choke if SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is
(o_ Ludwig Nussel
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB
16746 (AG Nürnberg)
OpenSSL Project http://www.openssl.org
Development Mailing List email@example.com
Automated List Manager majord...@openssl.org