wolfSSL and CyaSSL Users SAFE from Recent OpenSSL Security Advisories
OpenSSL released several security advisories yesterday: http://www.openssl.org/news/secadv_20140605.txt. None of these are attacks on the SSL/TLS protocols themselves. They are all implementation bugs. Most are critical bug fixes to DTLS (TLS over UDP). As a clean room implementation of SSL, wolfSSL does not use any OpenSSL code and is free from these defects. The most critical report seems to be the Man in the Middle vulnerability where an attacker can inject a Change Cipher Spec message to force a weak key stream (CVE-2014-0224). wolfSSL does not create the keying material upon receipt of the Change Cipher Spec message as OpenSSL did/does and is free from this problem.
The purpose of this note is not to critique OpenSSL, but rather to inform our user base about how they may be affected. For additional information or questions about CyaSSL please contact us at firstname.lastname@example.org
Originally posted at: http://www.wolfssl.com/wolfSSL/Blog/Entries/2014/6/6_wolfSSL_and_CyaSSL_Users_SAFE_from_Recent_OpenSSL_Security_Advisories.html