Menu
▾
▴
Re: [Openvpn-users] OpenVPN and TLS security
|
From: Jason <op...@la...> - 2011-09-21 18:12:09
|
Here's an update from the openssl-user ml: On Wed, Sep 21, 2011 at 06:27:02PM +0200, Mounir IDRASSI wrote: > Hi, > > This have been already discussed in the openssl-dev mailing list. Go > to the mailing list archive and take a look at the subject "openssl > 1.0.1 and rumors about TLS 1.0 attacks". > To be brief, this attack has been known for 7 years now and OpenSSL > implemented an effective countermeasure against it since version > 0.9.6d (insertion of empty fragments). So, an OpenSSL based web > server is immune from this attack, unless it uses the flag > SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS. > > Links cited in the dev mailing list : > - http://www.openssl.org/~bodo/tls-cbc.txt , section 2. > - > http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.61.5887&rep=rep1&type=pdf > : a 2006 paper discribing the attack and the OpenSSL countermeasure. > > Cheers, > -- > Mounir IDRASSI > IDRIX > http://www.idrix.fr > > > On 9/21/2011 4:48 PM, Thomas J. Hruska wrote: > >The Register published an article yesterday that some people here > >might be interested in on TLS 1.0 being "cracked": > > > >http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ > > > > > >The Register points their Finger of Blame right at OpenSSL. > > > >Of course, a lot of places then blew this out of proportion with > >headlines along the lines of, "ZOMG! HTTPS/SSL Intertubes Hacked! > >i can haz your internets?!?!" > > > >Right now, no one really knows anything about the "research" that > >is supposedly going to be published on Friday. > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List ope...@op... > Automated List Manager maj...@op... |
