POODLE SSL 3.0 Vulnerabiilty

General topics regarding OPC Foundation and communication technology in general.

Moderator: Support Team

Post Reply
chadcraigsmith
Jr. Member
Jr. Member
Posts: 2
Joined: 15 Oct 2014, 22:36

POODLE SSL 3.0 Vulnerabiilty

Post by chadcraigsmith »

Hi,

We are currently using the UA C++ OPC UA Toolkit v. 1.4.0

Just notified of this POODLE vulnerability with SSL 3.0. The toolkit uses Open SSL. Do we know if this is affected. It seems SSL 3.0 is obsolete, so I suspect we are okay, but wanted to check.

http://googleonlinesecurity.blogspot.co ... sPTTqML5PN
https://www.openssl.org/~bodo/ssl-poodle.pdf

Chad.

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: POODLE SSL 3.0 Vulnerabiilty

Post by Support Team »

Hi Chad,

we generally recommend to always update to the latest version of OpenSSL (the OpenSSL-Libs shipped with the SDK are for convenience only, they are "old/outdated" at the day we deliver). However, OpenSSL is outside our responsibility (ThirdParty). We recommend all our customers to be able to build/compile their own version of OpenSSL, in order to quickly react on any vulnerability. Furthermore, we recommend to link OpenSSL libraries dynamically in order to be able to replace them more easyly in e.g. a hotfix.

The latest reported bugs were mainly found in the SSL/TLS (ssleay32.dll) is typically not needed for OPC UA. Only the hybrid binding: "TCP-Binary encoded message over HTTPS" requires TLS. The use of such endpoints is not recommended by us. Such endpoints are commented out by default (config.xml). Hence typically you are not affected, except you use the SDK different than recommended/default by us.

Regarding the POODLE we did a quick review. The TLS binding is accepting HelloMessages only down to the TLS version 1.0. All other downwards requests (e.g. SSL 3.0) should not be answered. Anyway, we always recommend to use the latest OpenSSL.

The "OPC UA TCP Binding" is not affected by SSL/TLS protocol vulnerables.

Best Regards
Support Team

chadcraigsmith
Jr. Member
Jr. Member
Posts: 2
Joined: 15 Oct 2014, 22:36

Re: POODLE SSL 3.0 Vulnerabiilty

Post by chadcraigsmith »

Thanks for the quick reply. Good information.

Post Reply