Thanks for your comments - much appreciated. What is exactly the poodle
patch and how doe sit come into providing some form of protection against
the BEAST attack ?
--
View this message in context:
What about 3DES with appropriate IV, downgrade and replay
countermeasures, what exactly is wrong with those ciphers that is beyond
salvage?(By salvage I mean significantly better than plain text when talking
to
clients that don't support anything more modern, such as certain Microsoft
Try this as a starting point:
https://security.ias.edu/poodle-and-beast-isnt-love-story-sslv3-cipher-vulnerability
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 19/08/2015 16:37, Salz, Rich wrote:
Try this as a starting point:
https://security.ias.edu/poodle-and-beast-isnt-love-story-sslv3-cipher-vulnerability
___
openssl-users mailing list
To unsubscribe:
On 19/08/2015 00:26, Salz, Rich wrote:
There are *no* secure SSLv3 ciphers. If you need to support it (for legacy clients),
then best you can do is use the poodle patch, the SCSV indicator which will
at least prevents clients that are capable of more from being downgraded.
What about 3DES
Does this mean, since the 'no insert fragments' is part of SSL_OP_ALL, that
OpenSSL is BEAST-proof since some time regarding it's use of TLS 1.0 and SSL
3.0 ?
Thanks.
--
View this message in context:
Does this mean, since the 'no insert fragments' is part of SSL_OP_ALL, that
OpenSSL is BEAST-proof since some time regarding it's use of TLS 1.0 and SSL
3.0 ?
No.
___
openssl-users mailing list
To unsubscribe:
OK. So this means that the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is not the
solution for the BEAST attack. Is there a solution while keeping TLS 1.0
and SSL v3.0 ?
Thanks.
--
View this message in context:
On 18/08/2015 23:06, jonetsu wrote:
OK. So this means that the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is not the
solution for the BEAST attack. Is there a solution while keeping TLS 1.0
and SSL v3.0 ?
Thanks.
The solution is NOT setting
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS and hoping the other
end
There are *no* secure SSLv3 ciphers. If you need to support it (for legacy
clients), then best you can do is use the poodle patch, the SCSV indicator
which will at least prevents clients that are capable of more from being
downgraded.
___
On 22/07/2015 14:12, jonetsu wrote:
Hello,
Our Nessus version 6.4.1 is detecting a BEAST vulnerability against OpenSSL
1.0.1e. The source code defines SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS as
0x0800L and several tests are made for this value in the code. The CHANGES
mentions though that
11 matches
Mail list logo
