Am Tue, 20 Sep 2011 20:37:35 +0200 schrieb Richard Könning <richard.koenn...@ts.fujitsu.com>:
> Please read http://www.openssl.org/~bodo/tls-cbc.txt, problem #2. You > then see that the problem is already addressed in OpenSSL 0.9.6d, > over seven years ago. See also > http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.61.5887&rep=rep1&type=pdf, > > section 6, subsection "OpenSSL and the Empty Message". That's interesting to know. Do you know if similar mitigation measures have been done in other popular ssl implementations, especially nss? And is it sufficient if one side of a connection has them or do both need them to be secure? (the most likely scenario with https is probably an nss client with an openssl server) -- Hanno Böck mail/jabber: ha...@hboeck.de GPG: BBB51E42 http://www.hboeck.de/
signature.asc
Description: PGP signature
