login about faq

Is this an issue? Have most current version.

asked Oct 16 '14 at 14:47

cdlvj130's gravatar image

cdlvj130
9691017


I'm not aware of any way that Chilkat could be downgraded to SSLv3. The Chilkat implementation of TLS is not tied to Windows in any way, and there is no interaction with the Windows Registry.

In addition, the new version of Chilkat (not yet released as of this post, but will be v9.5.0.46) adds new possibilities to the SslProtocol property. The possible values will be:

default
TLS 1.2
TLS 1.1
TLS 1.0
SSL 3.0
TLS 1.2 or higher
TLS 1.1 or higher
TLS 1.0 or higher

The default value is "default" which allows for the protocol to be selected dynamically at runtime based on the requirements of the server. Choosing an exact protocol will cause the connection to fail unless that exact protocol is negotiated. It is better to set the property to "X or higher" rather than an exact protocol. The "default" is effectively "SSL 3.0 or higher".

If you would like a pre-release, please indicate the programming language, operating system, etc. so that I can provide the exact build required..

link

answered Nov 14 '14 at 11:05

chilkat's gravatar image

chilkat ♦♦
11.8k316358420

No, it's not an issue with Chilkat. Chilkat does not use OpenSSL. Chilkat's implementation of SSL/TLS is proprietary. In addition, an application would need to explicitly request to use SSL 3.0 (which is the target of the POODLE attack), and there is no feature within Chilkat's implementation what would make it possible to downgrade from TLS to SSL 3.0 once the secure channel is established.

link

answered Oct 16 '14 at 21:02

chilkat's gravatar image

chilkat ♦♦
11.8k316358420

Hi, I´m not sure, but it looks like on some misinterpretation. POODLE attack is handled under CVE-2014-3566. POODLE attack is NOT about some vulnerability in some components/libraries like in OpenSSL. It´s not same like HEARTBLEED vulnerability. POODLE is about vulnerability in protocol SSLv3. The problem is in the CBC encryption scheme as implemented in the SSL 3 protocol. Other protocols are not vulnerable because this area had been strengthened in TLS 1.0. So if Chilkat is using SSL v3 protocol instead of using TLS protocol channel by default, it´s vulnerable. Vulnerability in OpenSSL is something different. It´s about TLS_FALLBACK. So my question is Are you using SSL v3 by default in Chilkat or not? And don´t blame us with statement like "we are not using OpenSSL", because as I said previously, POODLE is NOT about vulnerability in OpenSSL but about vulnerability in SSL protocol v3.

Carlos Chewinga

link

answered Oct 23 '14 at 04:36

Carlos's gravatar image

Carlos
161

No, Chilkat does not use SSL v3 by default. Chilkat provides the capability of using SSL v3 if needed by the application for legacy purposes, but it is not used by default.

link

answered Oct 23 '14 at 07:58

chilkat's gravatar image

chilkat ♦♦
11.8k316358420

nice, appreciate the quick response. You the man!

link

answered Oct 17 '14 at 09:34

cdlvj130's gravatar image

cdlvj130
9691017

What about SFTP, is it possible to downgrade to a previous version?

link

answered Oct 17 '14 at 10:16

cdlvj130's gravatar image

cdlvj130
9691017

1

SSH and SSL/TLS are two entirely distinct and separate protocols for establishing a secure communications channel. Neither uses the other.

(Oct 17 '14 at 10:30) chilkat ♦♦

I know that, but I have read that SFTP can also be downgraded, and compromised. It would be nice to know that Chilkat also prevents that from happening.

ie, use Chilkat, and you don't ever have to worry about these things. Thanks.

link

answered Oct 17 '14 at 11:35

cdlvj130's gravatar image

cdlvj130
9691017

Thanks, that would be an excellent point in selling Chilkat. All others have to be patched.

link

answered Oct 17 '14 at 13:34

cdlvj130's gravatar image

cdlvj130
9691017

So, Chilkat does not use SSLv3 by default. Is there a way to force downgrade security protocol to SSLv3 by some hack, so Ckilkat will use it? For example forbid TLS usage in Windows Registry?

link

answered Nov 14 '14 at 08:58

dev's gravatar image

dev
11

I'm not aware of any way that Chilkat could be downgraded to SSLv3. The Chilkat implementation of TLS is not tied to Windows in any way, and there is no interaction with the Windows Registry.

(Nov 14 '14 at 11:01) chilkat ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×8

Asked: Oct 16 '14 at 14:47

Seen: 1,862 times

Last updated: Dec 11 '14 at 06:13

powered by OSQA