From owner-freebsd-security@FreeBSD.ORG Sun Sep 30 00:38:37 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 61DDA16A419 for ; Sun, 30 Sep 2007 00:38:37 +0000 (UTC) (envelope-from dexterclarke@Safe-mail.net) Received: from tapuz.safe-mail.net (tapuz.safe-mail.net [213.8.161.230]) by mx1.freebsd.org (Postfix) with ESMTP id 1EB4013C45B for ; Sun, 30 Sep 2007 00:38:37 +0000 (UTC) (envelope-from dexterclarke@Safe-mail.net) Received: by tapuz.safe-mail.net with Safe-mail (Exim 4.52) id 1Iblog-0002Se-Qk for freebsd-security@freebsd.org; Sat, 29 Sep 2007 19:33:46 -0400 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=N1-0105; d=Safe-mail.net; b=rY3GyA/+zmNsrTBNvAXW5fGmmdqgckSxnEyzfwrQxVhyyCH+oVywggFvXznJ7DWY kNeQZn8il1TwFX+E9H92vL/T7pB+SrE3j11TLlfyonjie99ntA+f2GZejO0UFPZo Xq4Iv/TQ88yIvwzSM9rgxCuVNGyvHFM2+khFdy4XLdc=; Received: from pc ([81.86.41.187]) by Safe-mail.net with https Date: Sat, 29 Sep 2007 19:33:46 -0400 From: dexterclarke@Safe-mail.net To: freebsd-security@freebsd.org X-SMType: Regular X-SMRef: N1-Gj4SICimys Message-Id: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-SMSignature: AodkacGTgZqTfwgQngX5GBe8gVjzOWWgVBEnNfbTYLDycpDQBcg93XdFpOmzM+cB ftkKjBvlVbOpJ6TusQa0Wd9ZiW03emLvHiil53I1Ng0X8cAFVoAmGDU/D4tBnexo /eIBu7nu9uJMzVAjeJBfogysPbjpJo3BCLiEmY/zU/o= Subject: Why are most audit events apparently non-attributable? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Sep 2007 00:38:37 -0000 So I'm exploring AUDIT and have this in /etc/security/audit_control: dir:/var/audit flags:lo,fd minfree:20 naflags:lo policy:cnt filesz:0 I tell auditd to reread the config file with audit -s but no file deletion events are logged. I change the config file to: dir:/var/audit flags:lo minfree:20 naflags:lo,fd policy:cnt filesz:0 I type audit -s and am immediately flooded with 20 kilobytes worth of audit records about file deletions. What I don't understand is why these file deletions are non-attributable? Surely if I sit there touching and removing files, the events should be very cleary attributed to me? Even more strange is that the events look like this: header,130,10,unlink(2),0,Sat Sep 29 20:48:46 2007, + 957 msec path,/var/tmp/vi.recover/vi.zhcey0 attribute,600,root,wheel,126,24774,98340 subject,-1,root,wheel,root,wheel,78355,0,0,0.0.0.0 return,success,0 trailer,130 To me, that looks like the event was attributed to 'root', so why does it only appear when using 'naflags' ie. non attributable events? Perhaps I misunderstand something fundamental. -- dc From owner-freebsd-security@FreeBSD.ORG Sun Sep 30 01:50:30 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4615416A418 for ; Sun, 30 Sep 2007 01:50:30 +0000 (UTC) (envelope-from dexterclarke@Safe-mail.net) Received: from tapuz.safe-mail.net (tapuz.safe-mail.net [213.8.161.230]) by mx1.freebsd.org (Postfix) with ESMTP id 051CC13C457 for ; Sun, 30 Sep 2007 01:50:29 +0000 (UTC) (envelope-from dexterclarke@Safe-mail.net) Received: by tapuz.safe-mail.net with Safe-mail (Exim 4.52) id 1Iblqg-0002nU-7v for freebsd-security@freebsd.org; Sat, 29 Sep 2007 19:35:50 -0400 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=N1-0105; d=Safe-mail.net; b=z8TByIdWFhRTlu/N0Zz2BxXrTAA1aJojvjueh+i4fBgi7Cuxxf6T6RiMbpcdiAGS ZY3wg8uGxVVyAMrognsKVPvv1rW6STAeKQRLDkZsk54dTfhBup6kqE0ln/lIJrHG i8w8tqGCxut0ZDThfF0bAcftQXSUHTBoACwLs1oVI4A=; Received: from pc ([81.86.41.187]) by Safe-mail.net with https Date: Sat, 29 Sep 2007 19:35:50 -0400 From: dexterclarke@Safe-mail.net To: freebsd-security@freebsd.org X-SMType: Regular X-SMRef: N1-ZxJOyEVi1H Message-Id: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-SMSignature: Ju+c4rMnNMQcLJKUuEOQnl1F7xXF/4lNxLFrC2Bw8yY2C7fesWtkPr7nebTR+ZnX G+Zdqhp+wxrCkNq6lLuKtTsBRRE+y5k/X3pb7G8jvqZhBzM5Q6Rfj61MbAfv3FkC A14T1fccND05QIXSGTbXGIWzcZciaaGnz7if4jgy/Is= Subject: Why are audit events apparently non-attributable? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Sep 2007 01:50:30 -0000 So I'm exploring AUDIT and have this in /etc/security/audit_control: dir:/var/audit flags:lo,fd minfree:20 naflags:lo policy:cnt filesz:0 I tell auditd to reread the config file with audit -s but no file deletion events are logged. I change the config file to: dir:/var/audit flags:lo minfree:20 naflags:lo,fd policy:cnt filesz:0 I type audit -s and am immediately flooded with 20 kilobytes worth of audit records about file deletions. What I don't understand is why these file deletions are non-attributable? Surely if I sit there touching and removing files, the events should be very cleary attributed to me? Even more strange is that the events look like this: header,130,10,unlink(2),0,Sat Sep 29 20:48:46 2007, + 957 msec path,/var/tmp/vi.recover/vi.zhcey0 attribute,600,root,wheel,126,24774,98340 subject,-1,root,wheel,root,wheel,78355,0,0,0.0.0.0 return,success,0 trailer,130 To me, that looks like the event was attributed to 'root', so why does it only appear when using 'naflags' ie. non attributable events? Perhaps I misunderstand something fundamental. -- dc From owner-freebsd-security@FreeBSD.ORG Wed Oct 3 21:58:30 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9955216A41A; Wed, 3 Oct 2007 21:58:30 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6E33013C459; Wed, 3 Oct 2007 21:58:30 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l93LwUIS089922; Wed, 3 Oct 2007 21:58:30 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l93LwUrG089920; Wed, 3 Oct 2007 21:58:30 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 3 Oct 2007 21:58:30 GMT Message-Id: <200710032158.l93LwUrG089920@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-07:08.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Oct 2007 21:58:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-07:08.openssl Security Advisory The FreeBSD Project Topic: Buffer overflow in OpenSSL SSL_get_shared_ciphers() Category: contrib Module: openssl Announced: 2007-10-03 Credits: Moritz Jodeit Affects: All FreeBSD releases. Corrected: 2007-10-03 21:39:43 UTC (RELENG_6, 6.2-STABLE) 2007-10-03 21:40:35 UTC (RELENG_6_2, 6.2-RELEASE-p8) 2007-10-03 21:41:22 UTC (RELENG_6_1, 6.1-RELEASE-p20) 2007-10-03 21:42:00 UTC (RELENG_5, 5.5-STABLE) 2007-10-03 21:42:32 UTC (RELENG_5_5, 5.5-RELEASE-p16) CVE Name: CVE-2007-5135 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A buffer overflow addressed in FreeBSD-SA-06:23.openssl has been found to be incorrectly fixed. III. Impact For applications using the SSL_get_shared_ciphers() function, the buffer overflow could allow an attacker to crash or potentially execute arbitrary code with the permissions of the user running the application. IV. Workaround No workaround is available, but only applications using the SSL_get_shared_ciphers() function are affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the correction date. 2) To patch your present system: The following patch have been verified to apply to FreeBSD 5.5, 6.1, and 6.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-07:08/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-07:08/openssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/secure/lib/libssl # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.2.3 RELENG_5_5 src/UPDATING 1.342.2.35.2.16 src/sys/conf/newvers.sh 1.62.2.21.2.18 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.2.1.4.2 RELENG_6 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.2.2 RELENG_6_2 src/UPDATING 1.416.2.29.2.11 src/sys/conf/newvers.sh 1.69.2.13.2.11 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.2.1.2.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.22 src/sys/conf/newvers.sh 1.69.2.11.2.22 src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.6.2 - ------------------------------------------------------------------------- VII. References http://marc.info/?l=bugtraq&m=119091888624735 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-07:08.openssl.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFHBA+HFdaIBMps37IRAtTQAJ0bFBZt7DVJzhQkUcu7VdNS7Kj8cwCeMQaS cNFjW3j2eolZhlee83l3blo= =zwC2 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Oct 4 00:25:19 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97AB816A49A for ; Thu, 4 Oct 2007 00:25:19 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 3D6F413C480 for ; Thu, 4 Oct 2007 00:25:19 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.13.8/8.13.8) with ESMTP id l93Nn8Ec007938; Wed, 3 Oct 2007 19:49:08 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id l93Nn8Co011720 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 3 Oct 2007 19:49:08 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200710032349.l93Nn8Co011720@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 03 Oct 2007 19:49:31 -0400 To: Stefan Esser , freebsd-security@freebsd.org From: Mike Tancsa In-Reply-To: <46FD7595.8090506@FreeBSD.org> References: <46FD7595.8090506@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Subject: Re: OpenSSL bufffer overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Oct 2007 00:25:19 -0000 At 05:43 PM 9/28/2007, Stefan Esser wrote: >I did not see any commits to the OpenSSL code, recently; is anybody >going to commit the fix? > >See http://www.securityfocus.com/archive/1/480855/30/0 for details ... How serious is this particular issue ? Is it easily exploitable, or difficult to do ? Are some apps more at risk of exploitation than others ? e.g. ssh,apache ? ---Mike >Regards, STefan >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Oct 4 08:04:49 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B601616A420 for ; Thu, 4 Oct 2007 08:04:49 +0000 (UTC) (envelope-from vladimir.terziev@gbservices.biz) Received: from cat-btc.gbservices.biz (cat-btc.gbservices.biz [83.228.119.50]) by mx1.freebsd.org (Postfix) with ESMTP id 1705113C468 for ; Thu, 4 Oct 2007 08:04:48 +0000 (UTC) (envelope-from vladimir.terziev@gbservices.biz) Received: from cat-btc.gbservices.biz (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id DDBAB1FA03D for ; Thu, 4 Oct 2007 09:36:09 +0200 (CEST) Received: from fs.gbs.gbdom.com (fs.gbs.gbdom.com [192.168.2.244]) by cat.gbs.gbdom.com (Postfix) with ESMTP id BED2A1FA03C for ; Thu, 4 Oct 2007 09:36:09 +0200 (CEST) Received: from localhost (localhost.gbs.gbdom.com [127.0.0.1]) by localhost (Postfix) with ESMTP id 3A5FF28521 for ; Thu, 4 Oct 2007 09:36:09 +0200 (CEST) Received: from daemon.gbs.gbdom.com (daemon.gbs.gbdom.com [192.168.2.104]) by fs.gbs.gbdom.com (Postfix) with SMTP id B296528517 for ; Thu, 4 Oct 2007 09:36:08 +0200 (CEST) Date: Thu, 4 Oct 2007 10:36:08 +0300 From: Vladimir Terziev To: freebsd-security@freebsd.org Message-Id: <20071004103608.e67dd613.vlady@gbservices.biz> In-Reply-To: <200710032158.l93LwUfM089929@freefall.freebsd.org> References: <200710032158.l93LwUfM089929@freefall.freebsd.org> Organization: GB Services Ltd. X-Mailer: Sylpheed 2.4.4 (GTK+ 2.6.4; i386-unknown-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV GBS-F X-Virus-Scanned: ClamAV GBS-C Subject: Re: FreeBSD Security Advisory FreeBSD-SA-07:08.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Oct 2007 08:04:49 -0000 Hi, I have applied the patch on a FreeBSD 6.2-RELEASE system and several of the services (courier-imap, postfix) on the machine stopped. I got the following error: /libexec/ld-elf.so.1: /usr/lib/libssl.so.4: Undefined symbol "EVP_idea_cbc" I compared SSL libraries on the patched system with the same, but on unpatched system. The difference, i found, is an extra library in /usr/lib, on the patched system -- ``/usr/lib/libssl_p.a''. The searched symbol "EVP_idea_cbc" is exactly in this extra library, but it seems the library is not loaded/searched for symbols. Could someone point me how to prevent building of this extra library and keeping the same number of SSL libraries (of course patched) as of before patching the system ? Thanks in advance! Vladimir The symbol "EVP_idea_cbc" is in this extra library. On Wed, 3 Oct 2007 21:58:30 GMT FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-07:08.openssl Security Advisory > The FreeBSD Project > > Topic: Buffer overflow in OpenSSL SSL_get_shared_ciphers() > > Category: contrib > Module: openssl > Announced: 2007-10-03 > Credits: Moritz Jodeit > Affects: All FreeBSD releases. > Corrected: 2007-10-03 21:39:43 UTC (RELENG_6, 6.2-STABLE) > 2007-10-03 21:40:35 UTC (RELENG_6_2, 6.2-RELEASE-p8) > 2007-10-03 21:41:22 UTC (RELENG_6_1, 6.1-RELEASE-p20) > 2007-10-03 21:42:00 UTC (RELENG_5, 5.5-STABLE) > 2007-10-03 21:42:32 UTC (RELENG_5_5, 5.5-RELEASE-p16) > CVE Name: CVE-2007-5135 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is > a collaborative effort to develop a robust, commercial-grade, full-featured, > and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) > and Transport Layer Security (TLS v1) protocols as well as a full-strength > general purpose cryptography library. > > II. Problem Description > > A buffer overflow addressed in FreeBSD-SA-06:23.openssl has been found > to be incorrectly fixed. > > III. Impact > > For applications using the SSL_get_shared_ciphers() function, the > buffer overflow could allow an attacker to crash or potentially > execute arbitrary code with the permissions of the user running the > application. > > IV. Workaround > > No workaround is available, but only applications using the > SSL_get_shared_ciphers() function are affected. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the > RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the > correction date. > > 2) To patch your present system: > > The following patch have been verified to apply to FreeBSD 5.5, 6.1, > and 6.2 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-07:08/openssl.patch > # fetch http://security.FreeBSD.org/patches/SA-07:08/openssl.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/secure/lib/libssl > # make obj && make depend && make && make install > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_5 > src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.2.3 > RELENG_5_5 > src/UPDATING 1.342.2.35.2.16 > src/sys/conf/newvers.sh 1.62.2.21.2.18 > src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.2.1.4.2 > RELENG_6 > src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.2.2 > RELENG_6_2 > src/UPDATING 1.416.2.29.2.11 > src/sys/conf/newvers.sh 1.69.2.13.2.11 > src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.2.1.2.1 > RELENG_6_1 > src/UPDATING 1.416.2.22.2.22 > src/sys/conf/newvers.sh 1.69.2.11.2.22 > src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.6.2 > - ------------------------------------------------------------------------- > > VII. References > > http://marc.info/?l=bugtraq&m=119091888624735 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-07:08.openssl.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (FreeBSD) > > iD8DBQFHBA+HFdaIBMps37IRAtTQAJ0bFBZt7DVJzhQkUcu7VdNS7Kj8cwCeMQaS > cNFjW3j2eolZhlee83l3blo= > =zwC2 > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Oct 4 09:44:17 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D28E916A419 for ; Thu, 4 Oct 2007 09:44:17 +0000 (UTC) (envelope-from vladimir.terziev@gbservices.biz) Received: from cat-btc.gbservices.biz (cat-btc.gbservices.biz [83.228.119.50]) by mx1.freebsd.org (Postfix) with ESMTP id 8206813C458 for ; Thu, 4 Oct 2007 09:44:17 +0000 (UTC) (envelope-from vladimir.terziev@gbservices.biz) Received: from cat-btc.gbservices.biz (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id 1376B1FA03F; Thu, 4 Oct 2007 11:44:16 +0200 (CEST) Received: from fs.gbs.gbdom.com (fs.gbs.gbdom.com [192.168.2.244]) by cat.gbs.gbdom.com (Postfix) with ESMTP id ED3321FA03E; Thu, 4 Oct 2007 11:44:15 +0200 (CEST) Received: from localhost (localhost.gbs.gbdom.com [127.0.0.1]) by localhost (Postfix) with ESMTP id 5E83628505; Thu, 4 Oct 2007 11:44:15 +0200 (CEST) Received: from daemon.gbs.gbdom.com (daemon.gbs.gbdom.com [192.168.2.104]) by fs.gbs.gbdom.com (Postfix) with SMTP id 144EE28504; Thu, 4 Oct 2007 11:44:15 +0200 (CEST) Date: Thu, 4 Oct 2007 12:44:15 +0300 From: Vladimir Terziev To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= Message-Id: <20071004124415.83a70f71.vlady@gbservices.biz> In-Reply-To: <86ir5nqlag.fsf@ds4.des.no> References: <200710032158.l93LwUfM089929@freefall.freebsd.org> <20071004103608.e67dd613.vlady@gbservices.biz> <86ir5nqlag.fsf@ds4.des.no> Organization: GB Services Ltd. X-Mailer: Sylpheed 2.4.4 (GTK+ 2.6.4; i386-unknown-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: ClamAV GBS-F X-Virus-Scanned: ClamAV GBS-C Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-07:08.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Oct 2007 09:44:17 -0000 Dag-Erling, i have to apologize for the question. The problem was implied by me, since i put in my /etc/make.conf, MAKE_IDEA= =3Dyes. It seems, the FreeBSD 6.2-RELEASE is not built with this option set= and the original SSL libraries do not have support for IDEA in them. I have commented the option and after the re-build of patched SSL librarie= s i have all services working fine as before. Best regards, Vladimir On Thu, 04 Oct 2007 11:30:31 +0200 Dag-Erling Sm=F8rgrav wrote: > Vladimir Terziev writes: > > I have applied the patch on a FreeBSD 6.2-RELEASE system and several > > of the services (courier-imap, postfix) on the machine stopped. > > > > I got the following error: > > > > /libexec/ld-elf.so.1: /usr/lib/libssl.so.4: Undefined symbol > > "EVP_idea_cbc" >=20 > You fat-fingered the update, either by building with a different set of > options than previously, or by checking out only a partial tree. The > simplest fix is to check out a full RELENG_6_2 tree and build and > install world. >=20 > > I compared SSL libraries on the patched system with the same, but on > > unpatched system. The difference, i found, is an extra library in > > /usr/lib, on the patched system -- ``/usr/lib/libssl_p.a''. >=20 > That's a profiling version of libssl; it isn't used on a production > system and has no part in this. >=20 > DES > --=20 > Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Oct 4 09:47:00 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 243C916A417 for ; Thu, 4 Oct 2007 09:46:58 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id D6FE413C4B5 for ; Thu, 4 Oct 2007 09:46:57 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 671E920C8; Thu, 4 Oct 2007 11:30:32 +0200 (CEST) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: -0.0/3.0 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on tim.des.no Received: from ds4.des.no (des.no [80.203.243.180]) by smtp.des.no (Postfix) with ESMTP id 5A2C520C7; Thu, 4 Oct 2007 11:30:32 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 3C0A884486; Thu, 4 Oct 2007 11:30:32 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Vladimir Terziev References: <200710032158.l93LwUfM089929@freefall.freebsd.org> <20071004103608.e67dd613.vlady@gbservices.biz> Date: Thu, 04 Oct 2007 11:30:31 +0200 In-Reply-To: <20071004103608.e67dd613.vlady@gbservices.biz> (Vladimir Terziev's message of "Thu\, 4 Oct 2007 10\:36\:08 +0300") Message-ID: <86ir5nqlag.fsf@ds4.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-07:08.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Oct 2007 09:47:00 -0000 Vladimir Terziev writes: > I have applied the patch on a FreeBSD 6.2-RELEASE system and several > of the services (courier-imap, postfix) on the machine stopped. > > I got the following error: > > /libexec/ld-elf.so.1: /usr/lib/libssl.so.4: Undefined symbol > "EVP_idea_cbc" You fat-fingered the update, either by building with a different set of options than previously, or by checking out only a partial tree. The simplest fix is to check out a full RELENG_6_2 tree and build and install world. > I compared SSL libraries on the patched system with the same, but on > unpatched system. The difference, i found, is an extra library in > /usr/lib, on the patched system -- ``/usr/lib/libssl_p.a''. That's a profiling version of libssl; it isn't used on a production system and has no part in this. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Oct 4 13:39:14 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE4FF16A417 for ; Thu, 4 Oct 2007 13:39:14 +0000 (UTC) (envelope-from se@FreeBSD.org) Received: from spacemail1-out.mgmt.space.net (spacemail1-out.mgmt.Space.Net [194.97.149.146]) by mx1.freebsd.org (Postfix) with ESMTP id 3C06913C459 for ; Thu, 4 Oct 2007 13:39:13 +0000 (UTC) (envelope-from se@FreeBSD.org) X-SpaceNet-SBRS: None X-IronPort-AV: E=Sophos;i="4.21,230,1188770400"; d="scan'208";a="64618415" Received: from mail.atsec.com ([195.30.252.105]) by spacemail1-out.mgmt.space.net with ESMTP; 04 Oct 2007 15:39:12 +0200 Received: from [10.2.2.88] (frueh.atsec.com [217.110.13.170]) (Authenticated sender: se@atsec.com) by mail.atsec.com (Postfix) with ESMTP id D06B0720923; Thu, 4 Oct 2007 15:39:11 +0200 (CEST) Message-ID: <4704ECFC.5070902@FreeBSD.org> Date: Thu, 04 Oct 2007 15:39:08 +0200 From: Stefan Esser User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Mike Tancsa References: <46FD7595.8090506@FreeBSD.org> <200710032349.l93Nn8Co011720@lava.sentex.ca> In-Reply-To: <200710032349.l93Nn8Co011720@lava.sentex.ca> X-Enigmail-Version: 0.95.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 04 Oct 2007 14:47:13 +0000 Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL bufffer overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Oct 2007 13:39:14 -0000 Mike Tancsa schrieb: > At 05:43 PM 9/28/2007, Stefan Esser wrote: >> I did not see any commits to the OpenSSL code, recently; is anybody >> going to commit the fix? >> >> See http://www.securityfocus.com/archive/1/480855/30/0 for details ... > > How serious is this particular issue ? Is it easily exploitable, or > difficult to do ? Are some apps more at risk of exploitation than > others ? e.g. ssh,apache ? Seems that the following URL (from the FreeBSD Security Advisory) has a better formatted version of the same information as can be found at the location I had given: http://marc.info/?l=bugtraq&m=119091888624735 A trailing '\0' can be written on the position following a buffer, with little effort. The BugTraq entry describes it in detail ... But (AFAIK) no further analysis has been performed. Regards, STefan From owner-freebsd-security@FreeBSD.ORG Fri Oct 5 09:46:51 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6083E16A417 for ; Fri, 5 Oct 2007 09:46:51 +0000 (UTC) (envelope-from bubblereading@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.224]) by mx1.freebsd.org (Postfix) with ESMTP id F062713C45B for ; Fri, 5 Oct 2007 09:46:50 +0000 (UTC) (envelope-from bubblereading@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so395448wxd for ; Fri, 05 Oct 2007 02:46:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=fPuvixn6zsKHZtDDQC8JD/KPz+cBtPdrmsFHLIFsYLU=; b=PF6nHsBtM26FqF8cGtux9MR3+qAmEVQozIevD/Gv4QBjYZ+cZbGJLwjdS7FE16cW5j3aj8BL61vSOWMbdynT7AOvpGYj2/88epjvjR+L9xQluzqOFS0shR69z8RqKfHzIkd8wqbDSQvoR/buNgtv3H7x58GbGb8k8DJD50TpEk8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=r4JVhVRzoay/RgKKzg866yfwo54ZI8OTR1XgFb2V3TYE/SMU64S83UsKDCUyBaQBoM2yAXcCFGw0jxjNh7ryeWtgh5qmb7nxb3sjIv1M6sMIb2kx+iqBPfurbU117KYA8wNe5mUi4mSppvR0a8KFHBIQC2HeeDRPCKPgQ3rtrdg= Received: by 10.150.138.8 with SMTP id l8mr454228ybd.1191575920023; Fri, 05 Oct 2007 02:18:40 -0700 (PDT) Received: by 10.90.99.9 with HTTP; Fri, 5 Oct 2007 02:18:39 -0700 (PDT) Message-ID: Date: Fri, 5 Oct 2007 10:18:39 +0100 From: "Bubble Reading" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Test X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Oct 2007 09:46:51 -0000 Test -- Regards, Bubble From owner-freebsd-security@FreeBSD.ORG Fri Oct 5 09:51:57 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE50516A417 for ; Fri, 5 Oct 2007 09:51:57 +0000 (UTC) (envelope-from bubblereading@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.234]) by mx1.freebsd.org (Postfix) with ESMTP id 6038413C4AA for ; Fri, 5 Oct 2007 09:51:57 +0000 (UTC) (envelope-from bubblereading@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so335366wra for ; Fri, 05 Oct 2007 02:51:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=evDJ4pn/+thJIduK7y9XRqBj5PJ6j/8TMcuc4DRuUnI=; b=Hdo6bATulpyl/xkP0S6yTXUzgKGTaEI9tYe6XzgSoJfKvtnU29G/xmpI6T9nitdvVeW3Z410PRvafiMmYuhaBChkGGNrSIldZTGRAhbI1aFH197KP+lloR+dhoYXiLt4PE3aze8G4h+WTtovhQ1hCHZzFL2RCH1BTShwmzQvBtE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=cTcVocAyUQ2W4qCrAltgpUke4QhrQX3GVyoAcpnlQFqRyNghX53/7l/sgIWG019sl2RIh5Z/PFVyTVB4MT+41AMDa7jh0yEN+9mT+8y5RqbqYxUOPXrb2kzNns0WWe9+Y2bLa7LrUf7PHmQBrcT9UpHx1pBtgtfaKGhPVVCNgH0= Received: by 10.150.152.17 with SMTP id z17mr465321ybd.1191577916240; Fri, 05 Oct 2007 02:51:56 -0700 (PDT) Received: by 10.90.99.9 with HTTP; Fri, 5 Oct 2007 02:51:56 -0700 (PDT) Message-ID: Date: Fri, 5 Oct 2007 10:51:56 +0100 From: "Bubble Reading" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: FastIPSec and OCF X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Oct 2007 09:51:57 -0000 Hi, Does FASTIPSec in FreeBSD use OCF framework ? Where can I find more documentation ? I wish to run cryptographic algorithms after setting a VPN. What command should I use to run a particular crytographic algorithm (e.g. 3DES etc.) Where can I find all such information ? -- Regards, Bubble From owner-freebsd-security@FreeBSD.ORG Fri Oct 5 10:17:26 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DEFDF16A417 for ; Fri, 5 Oct 2007 10:17:26 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 851D513C468 for ; Fri, 5 Oct 2007 10:17:26 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=SiQv2wOS02I1H0lL0kk6LMsV88cTPkxdDtKUSWXZjV+UjAyXuXcuC9iOQ9MkPx5QTNaa0IBBzQ+IExgdFdenwTAyw1Lykz4VQj+y7Y8pLY73+6t9rVcBWlOI22Wy1OgB65wJnV1/rnU4IEDF9+qhjwWiBBxp2XrL8qXJGQDpLM0=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1IdkFI-00099B-S8; Fri, 05 Oct 2007 14:17:24 +0400 Date: Fri, 5 Oct 2007 14:17:20 +0400 From: Eygene Ryabinkin To: Bubble Reading Message-ID: <20071005101720.GI971@void.codelabs.ru> References: MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.2 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_20 Cc: freebsd-security@freebsd.org Subject: Re: FastIPSec and OCF X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Oct 2007 10:17:27 -0000 Good day. Fri, Oct 05, 2007 at 10:51:56AM +0100, Bubble Reading wrote: > Does FASTIPSec in FreeBSD use OCF framework ? Where can I find more > documentation ? OCF: man 9 crypto IPSec: man 4 ipsec It will give you some pointers, at least on the 7-CURRENT. You can not say 'OCF Framework', because OCF stands for the OpenBSD Cryptographic Framework, so you repeat the last word twice. > I wish to run cryptographic algorithms after setting a VPN. What command > should I use to run a particular crytographic algorithm (e.g. 3DES etc.) I think that it depends on the toolset you're using to make VPN. Or you want to do it from your own code? Then you may want to have a look at the ports security/racoon2 and security/ipsec-tools. -- Eygene From owner-freebsd-security@FreeBSD.ORG Fri Oct 5 11:26:16 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CCB8816A41A for ; Fri, 5 Oct 2007 11:26:16 +0000 (UTC) (envelope-from bubblereading@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.235]) by mx1.freebsd.org (Postfix) with ESMTP id 6759813C461 for ; Fri, 5 Oct 2007 11:26:16 +0000 (UTC) (envelope-from bubblereading@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so337902wra for ; Fri, 05 Oct 2007 04:26:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=2fq+B5Gbxas+F4PAzxDTSZcFksQgnXe24unE/ynDm/8=; b=OPxrkLmOs39RskYu6KgKRjUxSkFRHTSBKXXXUoMmAIkXK1Xwi9mOLofx9HUPskWYLlePFriJE9DF+Xd77mZ4DuSRQt8hQZQg5wo2bU4Ea2x68sAOHlDXQRiU7KbsUWU+/hTrdcsvUrilIkTAN0RItrbiqkinalrMIKjGnT9xiTc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=VNS+J7zIAfMZ5Y310AdNGZEvFVWQR9uWIKgwcBdltwuUmKGSvl0VmJl3l3C/J1sIHmVzs+4SvV/NbvmCutSwcVnL4W8b8L29mXhnC7LDppo1OmbT9WesrWqjvcVnc+zls/z7is35DUNYgfeV1OYW8D3idjwZk/hpml/TpMbYCVQ= Received: by 10.150.148.7 with SMTP id v7mr492625ybd.1191583575601; Fri, 05 Oct 2007 04:26:15 -0700 (PDT) Received: by 10.90.99.9 with HTTP; Fri, 5 Oct 2007 04:26:15 -0700 (PDT) Message-ID: Date: Fri, 5 Oct 2007 12:26:15 +0100 From: "Bubble Reading" To: "Eygene Ryabinkin" In-Reply-To: <20071005101720.GI971@void.codelabs.ru> MIME-Version: 1.0 References: <20071005101720.GI971@void.codelabs.ru> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: FastIPSec and OCF X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Oct 2007 11:26:16 -0000 Hiya, Can I use Fast-IPSec as a tool to run a crypto command ? Are there any examples ? Bubble On 10/5/07, Eygene Ryabinkin wrote: > > Good day. > > Fri, Oct 05, 2007 at 10:51:56AM +0100, Bubble Reading wrote: > > Does FASTIPSec in FreeBSD use OCF framework ? Where can I find more > > documentation ? > > OCF: man 9 crypto > IPSec: man 4 ipsec > It will give you some pointers, at least on the 7-CURRENT. > > > You can not say 'OCF Framework', because OCF stands for the > OpenBSD Cryptographic Framework, so you repeat the last word twice. > > > > I wish to run cryptographic algorithms after setting a VPN. What command > > should I use to run a particular crytographic algorithm (e.g. 3DES etc.) > > I think that it depends on the toolset you're using to make VPN. > Or you want to do it from your own code? Then you may want to > have a look at the ports security/racoon2 and security/ipsec-tools. > -- > Eygene > -- Regards, Bubble From owner-freebsd-security@FreeBSD.ORG Fri Oct 5 11:46:13 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37C7116A418 for ; Fri, 5 Oct 2007 11:46:13 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id D297113C467 for ; Fri, 5 Oct 2007 11:46:12 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=NbdikSJzlKVes1Rgg5+rQcKBnu8oeN4141Ni8xGXxFg5LtPFtgRJdhR7VZ4/vT1lHJcrws1bZ9IAT+Y2U1wXJct+auc/ZWYP9rRgz53CH8Urw7awW6cDE4wse+hfH1MNF24bukJ9HsvVz4fsyHM+xck4/ekDZPNqCJ0lHAbHx88=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1IdldC-0009cF-5P; Fri, 05 Oct 2007 15:46:10 +0400 Date: Fri, 5 Oct 2007 15:46:05 +0400 From: Eygene Ryabinkin To: Bubble Reading Message-ID: <20071005114605.GP971@void.codelabs.ru> References: <20071005101720.GI971@void.codelabs.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.2 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_20 Cc: freebsd-security@freebsd.org Subject: Re: FastIPSec and OCF X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Oct 2007 11:46:13 -0000 Fri, Oct 05, 2007 at 12:26:15PM +0100, Bubble Reading wrote: > Can I use Fast-IPSec as a tool to run a crypto command ? If you mean by 'Fast-IPSec' the implementation of the IPSec made by George Neville-Neil (used to be FAST_IPSEC, but in the 7-CURRENT old KAME stack was thrown away, so now it is named just IPSEC), then no, it is the kernel-level implementation of the IPSEC protocol. But maybe you will be interested in the setkey utility and the ipsec_set_policy manual page. And the FreeBSD Handbook IPSec section, http://www.freebsd.org/doc/en/books/handbook/ipsec.html is worth to be read too. -- Eygene From owner-freebsd-security@FreeBSD.ORG Fri Oct 5 14:33:45 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5E6EA16A417 for ; Fri, 5 Oct 2007 14:33:45 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 050F013C43E for ; Fri, 5 Oct 2007 14:33:44 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=N72eaX65T+NuA8RnO/Ep57JCegg8o//zdpJutdcdRZTVRJ2+9y9LclVEeFRUd9U4uTkcsspzun6JZyLhUvLghbCoyD5VueacbLwbGluM/CEBkhvNVL4RH9jLtAKtCk/XoVypkCNE9uvSDOdv2GVypJs+9fTOZWSx2KGp2fU1Dvo=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1IdoFK-000Aa0-JB; Fri, 05 Oct 2007 18:33:42 +0400 Date: Fri, 5 Oct 2007 18:33:38 +0400 From: Eygene Ryabinkin To: Bubble Reading Message-ID: <20071005143338.GT971@void.codelabs.ru> References: <20071005101720.GI971@void.codelabs.ru> <20071005114605.GP971@void.codelabs.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-3.1 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Cc: freebsd-security@freebsd.org Subject: Re: FastIPSec and OCF X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Oct 2007 14:33:45 -0000 Fri, Oct 05, 2007 at 02:10:06PM +0100, Bubble Reading wrote: > Thanks much for your help. You're welcome ;)) > I am using FreeBSD v6.2. > > My aim is to use a hardware crypto card. Yes, but for what purpose? To accelerate IPSec or to do some cryptographic operations? This is somewhat ritorical question, because both issues are a bit lightened below ;)) > And OCF provides the generic kernel > level interface to hardware cryptology. Yes, and its accessible through the /dev/crypto, see crypto(4). Possibly you will want to read the original OCF design paper: http://www.thought.net/jason/ocfpaper/node8.html#SECTION00042000000000000000 > As I understood from you that Fast-IPSec is a kernel level module which I > can use to create a VPN tunnel. Is there a userland application which uses > Fast-IPSec? Fast IPSec is the networking layer. You can create the gifN device, configure it and it will encapsulate all traffic that is passing through it. Perhaps, the traffic will be encrypted if you will pass the right parameters to the setkey utility. If you have some hardware accelerator, then if will be used automatically for operations it can accelerate: devices are registered to the crypto framework as the providers of certain operations. So, crypto hardware will be used automagically. The interesting question is what will be done if more than one cryptographic accelerator provides support for a given routine. Seems like that there is some sort of load-balancing is done: the driver that has the smaller number of the pending crypto operations is selected. OK, I had somewhat lost the topic, so I am returning to the point. As for the userland application, there is some code in the OpenSSL, see /usr/src/crypto/openssl/crypto/evp/openbsd_hw.c. I suspect that this is what the OCF design papers talks as of OpenSSL enchancement. Another place in the OpenSSL code that uses /dev/crypto is /usr/src/crypto/openssl/crypto/engine/eng_cryptodev.c. There is another place, http://www.logix.cz/michal/devel/cryptodev/, that has some examples on how to use OCF. It talks about Linux, but it was promised that the OCF API and semantics are preserved. You can also check out the contents of the /usr/src/tools/tools/crypto/, especially cryptotest.c. Samuel Leffler has the Usenix paper, http://www.usenix.org/publications/library/proceedings/bsdcon03/tech/leffler_crypto/leffler_crypto.pdf that talks about the optimizations of OCF that were done in FreeBSD. cryptotest.c was written by him to do the profiling. -- Eygene From owner-freebsd-security@FreeBSD.ORG Fri Oct 5 15:16:56 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA25C16A41A for ; Fri, 5 Oct 2007 15:16:56 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 37F9513C49D for ; Fri, 5 Oct 2007 15:16:56 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail invoked by alias); 05 Oct 2007 14:50:14 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.50]) [194.231.39.124] by mail.gmx.net (mp024) with SMTP; 05 Oct 2007 16:50:14 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX18obhxzvQUoJob8qyJt+ye+TJEEt9MpF/Ti5WeVUV gCzaKkYoQkuhHt From: Olli Hauer To: freebsd-security@freebsd.org Content-Type: text/plain Date: Fri, 05 Oct 2007 16:50:47 +0200 Message-Id: <1191595847.2850.21.camel@amd.uni.vrs> Mime-Version: 1.0 X-Mailer: Evolution 2.10.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Subject: missing Advisory at ftp.freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Oct 2007 15:16:57 -0000 Hi, I am missing the advisory for openssl at ftp://ftp.freebsd.org/CERT/ Background: For long time i used the the quickpatch utility at my workstation to notify me about issues and *how* to fix it. With the web based advisory this is not possible since the .asc file contains only the pgp signature (no more details). Regards, olli From owner-freebsd-security@FreeBSD.ORG Fri Oct 5 16:13:09 2007 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5FDA016A419; Fri, 5 Oct 2007 16:13:09 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 1729913C4A5; Fri, 5 Oct 2007 16:13:09 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.13.8/8.13.8) with ESMTP id l95GD8PA096756; Fri, 5 Oct 2007 12:13:08 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id l95GD8C0022932 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 5 Oct 2007 12:13:08 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200710051613.l95GD8C0022932@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 05 Oct 2007 12:13:34 -0400 To: "Simon L. Nielsen" From: Mike Tancsa In-Reply-To: <20071005160502.GA1222@zaphod.nitro.dk> References: <46FD7595.8090506@FreeBSD.org> <200710032349.l93Nn8Co011720@lava.sentex.ca> <20071005160502.GA1222@zaphod.nitro.dk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: freebsd-security@FreeBSD.org Subject: Re: OpenSSL bufffer overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Oct 2007 16:13:09 -0000 At 12:05 PM 10/5/2007, Simon L. Nielsen wrote: >On 2007.10.03 19:49:31 -0400, Mike Tancsa wrote: > > At 05:43 PM 9/28/2007, Stefan Esser wrote: > >> I did not see any commits to the OpenSSL code, recently; is anybody > >> going to commit the fix? > >> > >> See http://www.securityfocus.com/archive/1/480855/30/0 for details ... > > > > How serious is this particular issue ? Is it easily exploitable, or > > difficult to do ? Are some apps more at risk of exploitation > than others ? > > e.g. ssh,apache ? > >(/me kicks mutt again for not showing new mails in mailboxes...) > >Anyway, I don't think it's very likely many people are affected by >this since not many programs call SSL_get_shared_ciphers(). No >application in the base system calls SSL_get_shared_ciphers acording >to grep, other than openssl(1)'s built in ssl client/server. > >I also did a quick grep in apache 2.2 (I think it was 2.2) and it >didn't reference the function either, but this was a quick check so if >it matters to anyone, check yourself. Thanks! I did the same grep, but wasnt sure whether or not that particular function (SSL_get_shared_ciphers) got called by another function in OpenSSL which was originally called by some of the big apps like sendmail,apache and sshd ---Mike From owner-freebsd-security@FreeBSD.ORG Fri Oct 5 16:21:58 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F109C16A418 for ; Fri, 5 Oct 2007 16:21:58 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id 99C3313C4A5 for ; Fri, 5 Oct 2007 16:21:58 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id C7B212D49E7; Fri, 5 Oct 2007 16:05:04 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 7F7E91149D; Fri, 5 Oct 2007 18:05:04 +0200 (CEST) Date: Fri, 5 Oct 2007 18:05:04 +0200 From: "Simon L. Nielsen" To: Mike Tancsa Message-ID: <20071005160502.GA1222@zaphod.nitro.dk> References: <46FD7595.8090506@FreeBSD.org> <200710032349.l93Nn8Co011720@lava.sentex.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200710032349.l93Nn8Co011720@lava.sentex.ca> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-security@freebsd.org, Stefan Esser Subject: Re: OpenSSL bufffer overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Oct 2007 16:21:59 -0000 On 2007.10.03 19:49:31 -0400, Mike Tancsa wrote: > At 05:43 PM 9/28/2007, Stefan Esser wrote: >> I did not see any commits to the OpenSSL code, recently; is anybody >> going to commit the fix? >> >> See http://www.securityfocus.com/archive/1/480855/30/0 for details ... > > How serious is this particular issue ? Is it easily exploitable, or > difficult to do ? Are some apps more at risk of exploitation than others ? > e.g. ssh,apache ? (/me kicks mutt again for not showing new mails in mailboxes...) Anyway, I don't think it's very likely many people are affected by this since not many programs call SSL_get_shared_ciphers(). No application in the base system calls SSL_get_shared_ciphers acording to grep, other than openssl(1)'s built in ssl client/server. I also did a quick grep in apache 2.2 (I think it was 2.2) and it didn't reference the function either, but this was a quick check so if it matters to anyone, check yourself. -- Simon L. Nielsen FreeBSD Security Team From owner-freebsd-security@FreeBSD.ORG Fri Oct 5 16:26:58 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 568B016A418 for ; Fri, 5 Oct 2007 16:26:58 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd4mo2so.prod.shaw.ca (idcmail-mo1so.shaw.ca [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id 2997113C447 for ; Fri, 5 Oct 2007 16:26:58 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mr3so.prod.shaw.ca (pd3mr3so-qfe3.prod.shaw.ca [10.0.141.179]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JPG00JYJ2SD5200@l-daemon> for freebsd-security@freebsd.org; Fri, 05 Oct 2007 09:24:13 -0600 (MDT) Received: from pn2ml7so.prod.shaw.ca ([10.0.121.151]) by pd3mr3so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JPG00F9U2SD8QD0@pd3mr3so.prod.shaw.ca> for freebsd-security@freebsd.org; Fri, 05 Oct 2007 09:24:13 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.201.197]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JPG00AIL2SC8J11@l-daemon> for freebsd-security@freebsd.org; Fri, 05 Oct 2007 09:24:12 -0600 (MDT) Received: (qmail 999 invoked from network); Fri, 05 Oct 2007 15:24:01 +0000 Received: from unknown (HELO hexahedron.daemonology.net) (127.0.0.1) by localhost with SMTP; Fri, 05 Oct 2007 15:24:01 +0000 Date: Fri, 05 Oct 2007 08:24:00 -0700 From: Colin Percival In-reply-to: <1191595847.2850.21.camel@amd.uni.vrs> To: Olli Hauer Message-id: <47065710.6090702@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.95.0 References: <1191595847.2850.21.camel@amd.uni.vrs> User-Agent: Thunderbird 2.0.0.6 (X11/20070812) Cc: freebsd-security@freebsd.org Subject: Re: missing Advisory at ftp.freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Oct 2007 16:26:58 -0000 Olli Hauer wrote: > I am missing the advisory for openssl at ftp://ftp.freebsd.org/CERT/ We stopped uploading advisories there because we kept on running into problems with ftp mirrors being out of date, while have complete control over the security.freebsd.org webserver and can make sure files are there before we send out the advisory. > Background: > For long time i used the the quickpatch utility at my workstation to > notify me about issues and *how* to fix it. > > With the web based advisory this is not possible since the .asc file > contains only the pgp signature (no more details). Huh? The advisories on the security.freebsd.org webserver are exactly the same files as the advisories which went to ftp.freebsd.org. Colin Percival FreeBSD Security Officer From owner-freebsd-security@FreeBSD.ORG Fri Oct 5 17:10:04 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6457216A417 for ; Fri, 5 Oct 2007 17:10:04 +0000 (UTC) (envelope-from gshapiro@freebsd.org) Received: from gir.gshapiro.net (gir.gshapiro.net [209.246.26.16]) by mx1.freebsd.org (Postfix) with ESMTP id 46C4813C45D for ; Fri, 5 Oct 2007 17:10:04 +0000 (UTC) (envelope-from gshapiro@freebsd.org) Received: from monkeyboy.local (c-67-164-3-230.hsd1.ca.comcast.net [67.164.3.230]) (authenticated bits=128) by gir.gshapiro.net (8.14.2.Alpha1/8.14.1) with ESMTP id l95GbEGO018113 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 5 Oct 2007 09:37:17 -0700 (PDT) (envelope-from gshapiro@freebsd.org) X-DomainKeys: Sendmail DomainKeys Filter v0.6.0 gir.gshapiro.net l95GbEGO018113 Date: Fri, 5 Oct 2007 09:35:23 -0700 From: Gregory Shapiro To: Mike Tancsa Message-ID: <20071005163523.GN477@monkeyboy.local> References: <46FD7595.8090506@FreeBSD.org> <200710032349.l93Nn8Co011720@lava.sentex.ca> <20071005160502.GA1222@zaphod.nitro.dk> <200710051613.l95GD8C0022932@lava.sentex.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200710051613.l95GD8C0022932@lava.sentex.ca> User-Agent: Mutt/1.5.16 (2007-06-09) X-Mailman-Approved-At: Fri, 05 Oct 2007 18:05:05 +0000 Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL bufffer overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Oct 2007 17:10:04 -0000 > Thanks! I did the same grep, but wasnt sure whether or not that particular > function (SSL_get_shared_ciphers) got called by another function in OpenSSL > which was originally called by some of the big apps like sendmail,apache > and sshd When I last researched this when the first problem with that function was announced, no other functions inside OpenSSL called it. That still appears to be the case: /usr/src/crypto/openssl> grep -R SSL_get_shared_ciphers . ./apps/s_client.c: p=SSL_get_shared_ciphers(s,buf,sizeof buf); ./apps/s_server.c: if (SSL_get_shared_ciphers(con,buf,sizeof buf) != NULL) ./apps/s_server.c: p=SSL_get_shared_ciphers(con,buf,bufsize); ./doc/ssleay.txt:SSL_get_shared_ciphers ./doc/ssl/ssl.pod:=item char *B(SSL *ssl, char *buf, int len); ./ssl/ssl.h:char * SSL_get_shared_ciphers(SSL *s, char *buf, int len); ./ssl/ssl_lib.c:char *SSL_get_shared_ciphers(SSL *s,char *buf,int len) ./util/ssleay.num:SSL_get_shared_ciphers 65 EXIST::FUNCTION: Also, sendmail does not use it.