Archived Forum Post

Index of archived forum posts

Question:

POODLE OpenSSL Vulnerability

Dec 11 '14 at 06:13

Is this an issue? Have most current version.


Answer

I'm not aware of any way that Chilkat could be downgraded to SSLv3. The Chilkat implementation of TLS is not tied to Windows in any way, and there is no interaction with the Windows Registry.

In addition, the new version of Chilkat (not yet released as of this post, but will be v9.5.0.46) adds new possibilities to the SslProtocol property. The possible values will be:

default
TLS 1.2
TLS 1.1
TLS 1.0
SSL 3.0
TLS 1.2 or higher
TLS 1.1 or higher
TLS 1.0 or higher

The default value is "default" which allows for the protocol to be selected dynamically at runtime based on the requirements of the server. Choosing an exact protocol will cause the connection to fail unless that exact protocol is negotiated. It is better to set the property to "X or higher" rather than an exact protocol. The "default" is effectively "SSL 3.0 or higher".

If you would like a pre-release, please indicate the programming language, operating system, etc. so that I can provide the exact build required..


Answer

No, it's not an issue with Chilkat. Chilkat does not use OpenSSL. Chilkat's implementation of SSL/TLS is proprietary. In addition, an application would need to explicitly request to use SSL 3.0 (which is the target of the POODLE attack), and there is no feature within Chilkat's implementation what would make it possible to downgrade from TLS to SSL 3.0 once the secure channel is established.


Answer

Hi, I´m not sure, but it looks like on some misinterpretation. POODLE attack is handled under CVE-2014-3566. POODLE attack is NOT about some vulnerability in some components/libraries like in OpenSSL. It´s not same like HEARTBLEED vulnerability. POODLE is about vulnerability in protocol SSLv3. The problem is in the CBC encryption scheme as implemented in the SSL 3 protocol. Other protocols are not vulnerable because this area had been strengthened in TLS 1.0. So if Chilkat is using SSL v3 protocol instead of using TLS protocol channel by default, it´s vulnerable. Vulnerability in OpenSSL is something different. It´s about TLS_FALLBACK. So my question is Are you using SSL v3 by default in Chilkat or not? And don´t blame us with statement like "we are not using OpenSSL", because as I said previously, POODLE is NOT about vulnerability in OpenSSL but about vulnerability in SSL protocol v3.

Carlos Chewinga


Answer

No, Chilkat does not use SSL v3 by default. Chilkat provides the capability of using SSL v3 if needed by the application for legacy purposes, but it is not used by default.


Answer

nice, appreciate the quick response. You the man!


Answer

What about SFTP, is it possible to downgrade to a previous version?


Answer

I know that, but I have read that SFTP can also be downgraded, and compromised. It would be nice to know that Chilkat also prevents that from happening.

ie, use Chilkat, and you don't ever have to worry about these things. Thanks.


Answer

Thanks, that would be an excellent point in selling Chilkat. All others have to be patched.


Answer

So, Chilkat does not use SSLv3 by default. Is there a way to force downgrade security protocol to SSLv3 by some hack, so Ckilkat will use it? For example forbid TLS usage in Windows Registry?


Answer

Hi, are you affected with this? http://www.computerworld.com.au/article/561828/poodle-flaw-returns-time-hitting-tls-security-protocol/