Mailing List Message #106945
From: Technical Support <>
Subject: Re: Padding Oracle vulnerability
Date: Thu, 23 Aug 2018 15:35:24 +0300
To: CommuniGate Pro Discussions <>

On 2018-08-23 12:06, Fred.Zwarts wrote:
In the release notes of version 6.2.6 I find the following bug fix:

•Bug Fix: TLS: 4.1: TLS connections might be vulnerable to Padding Oracle Attack.

We now run version 6.2.6.
If I run a test from it reports, among others:

This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F.

What is the explanation? Are there more than one Padding Oracle bugs, of which one one was fixed?

It appears that some test scripts on the net expect specific behavior in response to attempts to break into a TLS session. The family of "padding oracle" attacks use the differences in TLS peer responses depending on the success/failure of particular TLS operation stages to guess the next portion of a session key. The protection is to hide those differences and the fixes in the recent versions of CGpro do that.

Best regards,
Dmitry Akindinov

When answering to letters sent to you by the staff, make
sure the original message you have received is included into your
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster