AnsweredAssumed Answered

problem about "zombie POODLE" and "OpenSSL 0-length"

Question asked by xj li on Jul 3, 2019

i am testing my SSL offload device with https://www.ssllabs.com/ssltest, and it reported that it had the issue of "zombie POODLE"、"OpenSSL 0-length". i test it many times, only a few try would report that issue. (i am not quite sure, but it seems tend to report the issue when i try the test at night in china, and i merely got that issue at day). my colleage tell me https://www.ssllabs.com/ssltest once reported "Golden POODLE" vulnerability, but i did not see that by myself, maybe it is about the probability.

 

my SSL offloader is based on OpenSSL, i checked some document on internet:
The researcher who find this vulnerablility did not commont that "zombie POODLE" affect OpenSSL: https://i.blackhat.com/asia-19/Fri-March-29/bh-asia-Young-Zombie-Poodle-Goldendoodle-and-How-TLSv13-Can-Save-Us-All.pdf page 85
OpenSSL did not publish SA for "zombie POODLE": https://www.openssl.org/news/secadv/

OpenSSL noticed this potential risk in 2004:"OpenSSL contains this countermeasure since version 0.9.6c [21 December 2001]." ,  https://www.openssl.org/~bodo/tls-cbc.txt

so "Zombie POODLE" seems not affect OpenSSL, thus my device should not have "zombie POODLE" vulnerability.

 

"OpenSSL 0-length" have an necessary condition : twice call of SSL_shutdown() function (see https://www.openssl.org/news/secadv/20190226.txt ), i am quite sure i do not have this condition in my SSL offloader.

 

Beyond the analysis, i did some test with https://github.com/Tripwire/padcheck, this is the tool from the reseach team which find the "zombie POODLE" and "Golden POODLE",it did not report "zombie POODLE" or "OpenSSL 0-Length" or "Golden POODLE".

 

so my question is:
as to https://www.ssllabs.com/ssltest , what is the criteria of "zombie POODLE" and "OpenSSL 0-Length" and "Golden POODLE"?
did i have any misunderstanding about the 3 vulnerablities?

do you have any advice to my touble?

this poblem has puzzled me for several days,  can anybody help?
many thanks,谢谢

Outcomes