Mailing List CGatePro@mail.stalker.com Message #106945
From: Technical Support support@stalker.com <CGatePro@mail.stalker.com>
Subject: Re: Padding Oracle vulnerability
Date: Thu, 23 Aug 2018 15:35:24 +0300
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Hello,

On 2018-08-23 12:06, Fred.Zwarts F.Zwarts@KVI.nl wrote:
In the release notes of version 6.2.6 I find the following bug fix:

•Bug Fix: TLS: 4.1: TLS connections might be vulnerable to Padding Oracle Attack.

We now run version 6.2.6.
If I run a test from https://www.ssllabs.com/ssltest/ it reports, among others:

This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F.

What is the explanation? Are there more than one Padding Oracle bugs, of which one one was fixed?

It appears that some test scripts on the net expect specific behavior in response to attempts to break into a TLS session. The family of "padding oracle" attacks use the differences in TLS peer responses depending on the success/failure of particular TLS operation stages to guess the next portion of a session key. The protection is to hide those differences and the fixes in the recent versions of CGpro do that.


--
Best regards,
Dmitry Akindinov

=======================================================================
When answering to letters sent to you by the tech.support staff, make
sure the original message you have received is included into your
reply.
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster