Page 1 of 1
Poodlebleed
Posted: Wed Oct 15, 2014 1:25 pm
by normis
Before anybody asks, RouterOS is not affected by the Poodlebleed exploit.
Re: Poodlebleed
Posted: Wed Oct 15, 2014 7:19 pm
by jarda
This is the first time I see such active approach from mikrotik. Keep going forward with this. I appreciate that.
Re: Poodlebleed
Posted: Wed Oct 15, 2014 7:48 pm
by boen_robot
I hadn't heard of it, but now that I've seen it, I'm almost wondering how it hasn't been found sooner (like, as soon as SSL 3.0 became an easy to decrypt protocol). I mean, OBVIOUSLY, if you have a control over the network between client and server, you can drop some of the connections. I never knew SSL/TLS tries to make several connections at the handshake. I thought it's one connection with packets back & forth (which would be more secure, but then again, I can also see how legacy applications might be broken with that approach, and thus how clients ended up doing the "downgrade dance").
OK, onto MikroTik...
@normis
When you say MikroTik is not affected, it's not affected because...
1) You have SSL 3.0 (and older) disabled or
2) You use an OpenSSL version with TLS_FALLBACK_SCSV support, and have that enabled
?
Re: Poodlebleed
Posted: Fri Oct 17, 2014 11:26 am
by Ordghio
What about SSLv3 based SSTP? Is affected?
Re: Poodlebleed
Posted: Fri Oct 17, 2014 2:30 pm
by normis
What about SSLv3 based SSTP? Is affected?
It only uses TLS and that is not affected.