Richard Könning wrote:
> Am 20.09.2011 13:19, schrieb Hanno Böck:
>> It seems some rumors are spreading about an attack presented later this
>> week against sslv3/tlsv1.0:
>> Whatever this attack looks like in detail, all news one can find at the
>> moment suggest that only sslv3/tls 1.0 is affected and going to tls
>> 1.1 or 1.2 should fix it.
>> AFAIK, openssl current release 1.0.0 has no tls 1.2, but the
>> planned openssl 1.0.1 should have.
>> Which leads to the question: Is there a planned timeline for a 1.0.1
>> release and could this be accelerated if the issue turns out to be
>> serious?
> Please read, problem #2. You then 
> see that the problem is already addressed in OpenSSL 0.9.6d, over seven years 
> ago. See also 
>  section 6, subsection "OpenSSL and the Empty Message".

many applications set SSL_OP_ALL. So I guess in practice the workaround
is not widely used.
Does anyone know if there are still 'some broken SSL/TLS
implementations' out there that choke if SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is 
not set?


 (o_   Ludwig Nussel
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 
16746 (AG Nürnberg) 
OpenSSL Project                       
Development Mailing List             
Automated List Manager                 

Reply via email to