Closed strlcat closed 6 years ago
eduardsui
commented
6 years ago Thanks for the info. Disabling RSA is enough to protect against robot attack. I will make a patch monday. I want to check if is possible to mantain RSA and protect against this attack.
eduardsui
commented
6 years ago Ok, tested with ssllabs. I get A+, and "ROBOT (vulnerability) | No (more info)". Can you please send me all the flags you use when compiling ?
strlcat
commented
6 years ago Basically, they're cc -Wall -O2 -I. -DWITH_TLS -DTLS_AMALGAMATION, but TLS_AMALGAMATION is defined inside my master header file if it sees my WITH_TLS define. Nothing more.
eduardsui
commented
6 years ago Can you provide a link to your website to check it?
strlcat
commented
6 years ago Sure, https://lynxlynx.ru/
eduardsui
commented
6 years ago Ok, fixed it. Can you confirm?
eduardsui
commented
6 years ago Also note that you should use the tls* APIs instead of libssl compatibility layer. tls API are asynchronous, while SSL_ may block.
strlcat
commented
6 years ago Yes with latest commits it is fixed. ssllabs show "A" without a warning. Yeah, I just used SSL* compat to quickly test the implementation and I am already investigating the move to tls* API to save some size. However I use SSL_set_io to point to my own function wrappers which deal with socket blocking and maybe in future to count sent/received bytes. Are you talking about that?
I am writing my own embedded HTTP server and I successfully integrated tlse into my project. However when I directed ssllabs.com test at my host, it rated server as "A" but warned me that since February 2018, it will downgrade the implementation to "F" because of ROBOT attack. The website says that I must disable TLS RSA encryption in order to be not vulnerable to it.
I
#if 0'd all the TLS_RSAWITH* places and reinstalled, and ssllabs said I am no longer vulnerable. Is this enough for me to be safe?By the way I am using (test) Let's Encrypt certificate for my domain, and SSL compatibility layer with tlse.