Heartbeat Response transmission during handshake - plaintext bleeding of HB response [CVE-2014-0160]

2014-04-12 Thread MiW on Mailing Lists
Hi List, I think Doug Smith was correct in his email Heartbeat response during handshake? RFC 6520 does state that The receiving peer SHOULD discard the message silently, if it arrives during the handshake.. I was testing adding the following lines to d1_both.c and t1_lib.c in the

Re: OpenSSL has exploit mitigation countermeasures to make sure its exploitable

2014-04-12 Thread Reini Urban
On 04/11/2014 04:13 PM, Carlos Alberto Lopez Perez wrote: Probably this blog post provides more information about what Akamai has been doing related to this issue: https://blogs.akamai.com/2014/04/heartbleed-update.html It would be appreciated if you cared to contribute back your own custom

[openssl.org #3302] [PATCH] dtls1_reassemble_fragment: goto err fail

2014-04-12 Thread Sami Farin via RT
Your code does not set i to -1. This patch fixes the little issue. Bug added in: commit 934e22e81455e1e6229cbafb525a36cb6c50dbe9 Author: Dr. Stephen Henson st...@openssl.org diff --git a/ssl/d1_both.c b/ssl/d1_both.c index d8bcd58..2c06fc2 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -679,8

Re: OpenSSL has exploit mitigation countermeasures to make sure its exploitable

2014-04-12 Thread Otto Moerbeek
On Fri, Apr 11, 2014 at 05:51:17PM -0500, Reini Urban wrote: On 04/11/2014 04:13 PM, Carlos Alberto Lopez Perez wrote: Probably this blog post provides more information about what Akamai has been doing related to this issue: https://blogs.akamai.com/2014/04/heartbleed-update.html It

RE: OpenSSL has exploit mitigation countermeasures to make sure its exploitable

2014-04-12 Thread Salz, Rich
It would be appreciated if you cared to contribute back your own custom secure_malloc allocator. We did. See http://marc.info/?l=openssl-usersm=139723710923076w=2 and http://marc.info/?l=openssl-usersm=139723972124003w=2 -- Principal Security Engineer Akamai Technology Cambridge,

Re: [PATCH] s_client: Fix keypress requirement with redirected input on Windows

2014-04-12 Thread Jeff Trawick
On Mon, Oct 7, 2013 at 7:47 AM, Jeff Trawick traw...@gmail.com wrote: See the attached patch which applies over openssl-1.0.1e and selects the use of existing support for the Windows API WaitForSingleObject(..STD_INPUT_HANDLE..) to trigger a read of stdin. That logic is hidden currently

Re: OpenSSL has exploit mitigation countermeasures to make sure its exploitable

2014-04-12 Thread mancha
[From: openssl-users] On Fri, Apr 11, 2014, Salz, Rich wrote: This patch is a variant of what we've been using to help protect customer keys for a decade. Would you please elaborate on how it differs from what you've been using in production? OpenSSL is important to us, and this is the

RE: OpenSSL has exploit mitigation countermeasures to make sure its exploitable

2014-04-12 Thread Salz, Rich
Would you please elaborate on how it differs from what you've been using in production? Local platform issues, mainly. Conceptually, nothing different about the security. -- Principal Security Engineer Akamai Technology Cambridge, MA