|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Victor Duchovni (Victor.Duchovni
MorganStanley.com)
Date: Mon Dec 03 2007 - 09:09:38 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, Dec 03, 2007 at 03:03:32PM +0100, Martin Schmitt (Schmitt Systems) wrote:
> Victor Duchovni schrieb:
>
> > But this does not concretely address the OP's problem. In this case there
> > is a post-handshake bug in the SSL 3DES cipher implementation in most
> > fielded Microsoft systems (they don't usefully support anything other
> > than RC4). The bug results in 5 clear-text bytes from application memory
> > leaking into SSL application data messages after the valid ciphertext. The
> > resulting data stream is no longer a sequence of SSL/TLS messages and
> > so the connection breaks immediately after the HELO response (first
> > post-handshake reply from the server).
> >
> > When using TLS with Microsoft Crypto-API systems that predate Windows
> > Server 2007 or Vista, one must accept the use of RC4.
>
> Thanks Victor for taking your time to explain the situation.
I've been told this is a base platform (Windows) issue, but on the
other hand:
http://support.microsoft.com/kb/938857/en-us
seems to suggest an issue in Exchange itself (fix released more recently
than my original information on this subject). The article tries (poorly)
to say that unlike stream ciphers (such as RC4), block ciphers in useful
modes (i.e. not ECB which is not used for security reasons) require
padding for inputs that are not a multiple of the block size and that
the required expansion of the input buffer is not handled correctly.
Perhaps this is an Exchange issue after all.
Hotfix available by request only:
http://go.microsoft.com/?linkid=6294451
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]