Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 28 Dec 2015 15:55:02 +0000
From: Sevan Janiyan <>
Subject: Re: Being vulnerable to POODLE


On 28/12/2015 14:32, Florian Weimer wrote:
> How so?
> With some OpenSSL versions, it disables the 0/n split to mitigate a
> *different* CBC vulnerability in TLS 1.0, and the client code explicitly
> prevents OpenSSL from using TLS 1.1 and later.

SSLv23_server_method() is called to setup a server without any
restrictions & SSL_CTX_set_options() sets SSL_OP_ALL on the context.
The change I'm proposing explicitly disables the use of SSLv2/v3 so that
we're not reliant on the SSL library (which may be out of date?) to
impose restriction.

Looking up the documentation before I reply, it seems that by using the
SSL_OP_ALL setting, the mitigation you mention is actually disabled. See

Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol
vulnerability affecting CBC ciphers, which cannot be handled by some
broken SSL implementations. This option has no effect for connections
using other ciphers.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ