Legion of the Bouncy Castle Information for VU#577193

POODLE vulnerability in SSL 3.0

Status

Not Affected

Vendor Statement

"Bouncy Castle Java APIs version 1.46, or later, offer the ability to access SSL v3 by overriding methods in order to allow support for it. By default SSL v3 support is turned off.

    It is possible to see if a developer has created the necessary overrides by looking for overrides of the methods AbstractTlsClient.getMinimumVersion () or TlsClient.notifyServerVersion () in client code, and by looking for overrides of AbstractTlsServer.getMinimumVersion () or TlsServer.getServerVersion () in server code.

    Bouncy Castle C# APIs version 1.8 (still in beta), also contains a TLS API, which follows the same profile as the Bouncy Castle Java APIs in respect to SSL v3. Support for “TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks”, currently described at

    https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

    has been added to both the Java and C# APIs to allow developers to prevent SSL v3 as anything but a worst case. We are planning to continue tracking the fallback document as it evolves and will include the results in the next releases of the Java and C# APIs (1.52 and 1.8 respectively)

    For further enquiries in relation to this please contact us at office@bouncycastle.org."

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References

    https://www.bouncycastle.org/

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.