AnsweredAssumed Answered

problem about "zombie POODLE" and "OpenSSL 0-length"

Question asked by xj li on Jul 3, 2019

i am testing my SSL offload device with, and it reported that it had the issue of "zombie POODLE"、"OpenSSL 0-length". i test it many times, only a few try would report that issue. (i am not quite sure, but it seems tend to report the issue when i try the test at night in china, and i merely got that issue at day). my colleage tell me once reported "Golden POODLE" vulnerability, but i did not see that by myself, maybe it is about the probability.


my SSL offloader is based on OpenSSL, i checked some document on internet:
The researcher who find this vulnerablility did not commont that "zombie POODLE" affect OpenSSL: page 85
OpenSSL did not publish SA for "zombie POODLE":

OpenSSL noticed this potential risk in 2004:"OpenSSL contains this countermeasure since version 0.9.6c [21 December 2001]." ,

so "Zombie POODLE" seems not affect OpenSSL, thus my device should not have "zombie POODLE" vulnerability.


"OpenSSL 0-length" have an necessary condition : twice call of SSL_shutdown() function (see ), i am quite sure i do not have this condition in my SSL offloader.


Beyond the analysis, i did some test with, this is the tool from the reseach team which find the "zombie POODLE" and "Golden POODLE",it did not report "zombie POODLE" or "OpenSSL 0-Length" or "Golden POODLE".


so my question is:
as to , what is the criteria of "zombie POODLE" and "OpenSSL 0-Length" and "Golden POODLE"?
did i have any misunderstanding about the 3 vulnerablities?

do you have any advice to my touble?

this poblem has puzzled me for several days,  can anybody help?
many thanks,谢谢