Re: Vuln in SSL 3.0
Hi, there's a workaround here : https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 it aims to forbid protocol downgrade, except for interoperability however I don't know when draft will be accepted and included to TLS protocols Nicolas - Mail original - De: Dominyk Tiller dominyktil...@gmail.com À: openssl-dev@openssl.org Envoyé: Mardi 14 Octobre 2014 18:19:34 Objet: Re: Vuln in SSL 3.0 -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 If there is a threat in SSLv3 it seems almost certain to affect OpenSSL. The upstream dev team not commenting on this is probably fairly standard protocol; I believe they don't comment on anything critical that could be exploited before patches are imminent or available. I guess the situation is Watch this space. Sent from Thunderbird for OS X. My PGP public key is automatically attached to this email. On 14/10/2014 15:19, Krzysztof Kwiatkowski wrote: Hi, Any idea what this is about? Is it a threat for OpenSSL users: http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/ Regards, Kris __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJUPU0UAAoJEIclJNuddDJsNYUP/A00vuZ/PUsoIG/rORgw9yvj Gg9IIfybSodxdVpeQeI98z1wxEh4+6p99MYmZTvJ3RnRATrMn2ymjrYbJz4Jj43q 0d3kg3QQCPnPimFkgCo2IwdT/K2TCZl2pAwIOJn5Mo25nGnVL7WpH62PXjtBLpvz Im7WME5W8qzhZ+cHQJA3A+P5ow9q+aS++/bNk/dq80EON4/gyxRvu/BNl+/DmCfw 2SKP57k8huHj5F0voziNPKLPd2RBtgxS9iAEVZ9bmWLLTxdfTfTs19+VZRm2yyXw KFM2DbeWJORrWkxO0yDPS5FNVv54brkmvu8Iu7Ge3fbYNXSAe5SKJMhmwiXone7S XZFLY9KceZjj1jrX9JLDE8Ivp/gp+9W2LrafguZhYnSeZ2SRtx/vDloPDKrv1V/N ny2EudnX+vN6KRMqfpcGc/NR3/ODfkHkXfKVuZ056oPxsSBCFJSzlVl2gDfMTCDV fH+emZEN2lN9okRIbZadNlGy8Ef34ZvX52CzBonA1u30YI/PiSjiC+8l8HxjEDJv VhZSJb2dwMJX/7AtXGcEL9C9avRmfzjFullbaCM5HDnKlwvUC/04HkYuydft66XW VrILhscdrGiBOIiQTaJuiJPBavSQEt8LCYpZOS74icvlB5RzI8Mk8I6V976XzBoS QAGulIxAp/+CYisBYr6j =3vi3 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Vuln in SSL 3.0
On 15/10/14 14:43, nicolas@free.fr wrote: Hi, there's a workaround here : https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 it aims to forbid protocol downgrade, except for interoperability however I don't know when draft will be accepted and included to TLS protocols The latest versions of OpenSSL that have just been released today implement this capability. Matt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Vuln in SSL 3.0
Great! I suppose it fixes both - client and server ? On 15 October 2014 15:59:13 CEST, Matt Caswell m...@openssl.org wrote: On 15/10/14 14:43, nicolas@free.fr wrote: Hi, there's a workaround here : https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 it aims to forbid protocol downgrade, except for interoperability however I don't know when draft will be accepted and included to TLS protocols The latest versions of OpenSSL that have just been released today implement this capability. Matt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
RE: Vuln in SSL 3.0
I suppose it fixes both - client and server ? The server-side is automatic: when it sees the SCSV fallback, it sends a fatal alert back to the client. Clients that will do fallback must call a new API; see the changes file. -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.me Twitter: RichSalz :��IϮ��r�m (Z+�7�zZ)���1���x��hW^��^��%�� ��jם.+-1�ځ��j:+v���h�
Vuln in SSL 3.0
Hi, Any idea what this is about? Is it a threat for OpenSSL users: http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/ Regards, Kris __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Vuln in SSL 3.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 If there is a threat in SSLv3 it seems almost certain to affect OpenSSL. The upstream dev team not commenting on this is probably fairly standard protocol; I believe they don't comment on anything critical that could be exploited before patches are imminent or available. I guess the situation is Watch this space. Sent from Thunderbird for OS X. My PGP public key is automatically attached to this email. On 14/10/2014 15:19, Krzysztof Kwiatkowski wrote: Hi, Any idea what this is about? Is it a threat for OpenSSL users: http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/ Regards, Kris __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJUPU0UAAoJEIclJNuddDJsNYUP/A00vuZ/PUsoIG/rORgw9yvj Gg9IIfybSodxdVpeQeI98z1wxEh4+6p99MYmZTvJ3RnRATrMn2ymjrYbJz4Jj43q 0d3kg3QQCPnPimFkgCo2IwdT/K2TCZl2pAwIOJn5Mo25nGnVL7WpH62PXjtBLpvz Im7WME5W8qzhZ+cHQJA3A+P5ow9q+aS++/bNk/dq80EON4/gyxRvu/BNl+/DmCfw 2SKP57k8huHj5F0voziNPKLPd2RBtgxS9iAEVZ9bmWLLTxdfTfTs19+VZRm2yyXw KFM2DbeWJORrWkxO0yDPS5FNVv54brkmvu8Iu7Ge3fbYNXSAe5SKJMhmwiXone7S XZFLY9KceZjj1jrX9JLDE8Ivp/gp+9W2LrafguZhYnSeZ2SRtx/vDloPDKrv1V/N ny2EudnX+vN6KRMqfpcGc/NR3/ODfkHkXfKVuZ056oPxsSBCFJSzlVl2gDfMTCDV fH+emZEN2lN9okRIbZadNlGy8Ef34ZvX52CzBonA1u30YI/PiSjiC+8l8HxjEDJv VhZSJb2dwMJX/7AtXGcEL9C9avRmfzjFullbaCM5HDnKlwvUC/04HkYuydft66XW VrILhscdrGiBOIiQTaJuiJPBavSQEt8LCYpZOS74icvlB5RzI8Mk8I6V976XzBoS QAGulIxAp/+CYisBYr6j =3vi3 -END PGP SIGNATURE- 0x9D74326C.asc Description: application/pgp-keys 0x9D74326C.asc.sig Description: Binary data