Mailing List CGatePro@mail.stalker.com Message #106946
From: Fred.Zwarts F.Zwarts@KVI.nl <CGatePro@mail.stalker.com>
Subject: Re: Padding Oracle vulnerability
Date: Tue, 28 Aug 2018 09:59:23 +0200
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
On Thu, 23 Aug 2018 15:35:24 +0300, Dmitry Akindinov (Technical Support support@stalker.com <CGatePro@mail.stalker.com>) wrote:
On 2018-08-23 12:06, Fred.Zwarts F.Zwarts@KVI.nl wrote:
In the release notes of version 6.2.6 I find the following bug fix:

•Bug Fix: TLS: 4.1: TLS connections might be vulnerable to Padding Oracle Attack.

We now run version 6.2.6.
If I run a test from https://www.ssllabs.com/ssltest/ it reports, among others:

This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F.

What is the explanation? Are there more than one Padding Oracle bugs, of which one one was fixed?

It appears that some test scripts on the net expect specific behavior in response to attempts to break into a TLS session. The family of "padding oracle" attacks use the differences in TLS peer responses depending on the success/failure of particular TLS operation stages to guess the next portion of a session key. The protection is to hide those differences and the fixes in the recent versions of CGpro do that.

Thanks for the reply. I have been thinking about it but I do not really understand what you said. It is probably because English is not my native language.
Do you mean that the test of ssllabs produces a false positive, or do you mean that the bug fix does not remove the vulnerability, but it only hides the vulnerability?
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster