From owner-freebsd-security@FreeBSD.ORG Tue Nov 17 12:13:16 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97ED91065698 for ; Tue, 17 Nov 2009 12:13:16 +0000 (UTC) (envelope-from daniel.amthor@googlemail.com) Received: from mail-fx0-f227.google.com (mail-fx0-f227.google.com [209.85.220.227]) by mx1.freebsd.org (Postfix) with ESMTP id 31D128FC25 for ; Tue, 17 Nov 2009 12:13:15 +0000 (UTC) Received: by fxm27 with SMTP id 27so7612246fxm.3 for ; Tue, 17 Nov 2009 04:13:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:from:date :x-google-sender-auth:message-id:subject:to:content-type; bh=teFuDfml9AmaP4Bau+/1Zq1k/RLbWpZ9/pTWEv2BkYM=; b=DjgyLl0N4u2Eg6TbSDrofarjMgltJemH3hMnhggbJSgQRZWDViZZCQI7C6EtS0kcnf jMBHqXtN4JB1LFyvGD+bfkNNw5o56DgzhcKpWr4gOZcYNR5wN79YCvzrDAw2eXRS8Wul HkfrA5CnE7AKIi8OhuYoQegcL5lk7WXQ65XiQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:sender:from:date:x-google-sender-auth:message-id :subject:to:content-type; b=OGOmiUndgwsKECdBetIC6WLuZ/w885pqqUDtrXkSsZiARgH/gluOLJ8uri9r746Fjb Rr5kTj7r0qKE2M8fbU3/5upib/Iifu2rVBgAo6IBFBMFyJ6pHVv6fod8DDukUji2dXEj Ohem8+oRMCIe9recDQofVNLyyh/BcoAYsxnxs= MIME-Version: 1.0 Sender: daniel.amthor@googlemail.com Received: by 10.239.163.199 with SMTP id q7mr887991hbd.29.1258458455582; Tue, 17 Nov 2009 03:47:35 -0800 (PST) From: Daniel Date: Tue, 17 Nov 2009 12:47:14 +0100 X-Google-Sender-Auth: 882da55cc1214ebc Message-ID: <1e50fb510911170347t59ba964dhf3110980a5e70161@mail.gmail.com> To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Openssl TLS Reneg "Bug" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2009 12:13:16 -0000 Dear List, new here so sorry if I am missing any important points. I was wondering#: Does anyone know of the status of the "amended" openssl packages for FreeBSD. I'd like to try running our site with "reneg off", but I can't seem to find any notion of this on freebsd sites ? Any ideas, pointers ? Best Daniel From owner-freebsd-security@FreeBSD.ORG Wed Nov 18 07:19:02 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 378531065676 for ; Wed, 18 Nov 2009 07:19:02 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id C45B38FC1A for ; Wed, 18 Nov 2009 07:19:01 +0000 (UTC) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id nAI7IuOw020506; Wed, 18 Nov 2009 07:18:56 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk nAI7IuOw020506 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1258528736; bh=SL5qv5zEmdrxE7CBU66hUbYIJArogzQpXLKh81M2rfc=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4B039FDF.4010704@infracaninophile.co.uk>|Date:=20W ed,=2018=20Nov=202009=2007:18:55=20+0000|From:=20Matthew=20Seaman= 20|Organization:=20Infracaninophi le|User-Agent:=20Thunderbird=202.0.0.23=20(X11/20090823)|MIME-Vers ion:=201.0|To:=20Daniel=20|CC:=20freebsd-security@fre ebsd.org|Subject:=20Re:=20Openssl=20TLS=20Reneg=20"Bug"|References :=20<1e50fb510911170347t59ba964dhf3110980a5e70161@mail.gmail.com>| In-Reply-To:=20<1e50fb510911170347t59ba964dhf3110980a5e70161@mail. gmail.com>|X-Enigmail-Version:=200.95.6|Content-Type:=20multipart/ signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"application /pgp-signature"=3B=0D=0A=20boundary=3D"------------enig153885142E3 0B08B0AB1F060"; b=UkMN1yQbZapqsYm8Vq6z0VTt7nzrXR4V6hIpRFmbtoUupvcT2bXBBQoiGrJJI7fte opCGUvIYGTv6ReVmp6hezLUBBWZbsyiLoAe0YvT1YrRDvnFGNgo/kC6GCAR7Af9ZLI oOckhYmO7J64cT2oU+h/DyFJKZOzeMmafblgHcs4= X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host localhost [IPv6:::1] claimed to be happy-idiot-talk.infracaninophile.co.uk Message-ID: <4B039FDF.4010704@infracaninophile.co.uk> Date: Wed, 18 Nov 2009 07:18:55 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.23 (X11/20090823) MIME-Version: 1.0 To: Daniel References: <1e50fb510911170347t59ba964dhf3110980a5e70161@mail.gmail.com> In-Reply-To: <1e50fb510911170347t59ba964dhf3110980a5e70161@mail.gmail.com> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig153885142E30B08B0AB1F060" X-Virus-Scanned: clamav-milter 0.95.3 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-security@freebsd.org Subject: Re: Openssl TLS Reneg "Bug" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Nov 2009 07:19:02 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig153885142E30B08B0AB1F060 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Daniel wrote: > Dear List, > new here so sorry if I am missing any important points. I was > wondering#: Does anyone know of the status of the "amended" openssl > packages for FreeBSD. I'd like to try running our site with "reneg > off", but I can't seem to find any notion of this on freebsd sites ? > Any ideas, pointers ? The only way of doing that at present is to use openssl-0.9.8l which has simply had the renegotiation stuff diked out of it. That's available= as the security/openssl port, but be aware that you will have to=20 rebuild any SSL-aware application to link against the shlibs it installs. The fix in 0.9.8l is an interim measure which cripples certain openssl functionality: installing it may cause websites to malfunction, so make sure you have good backups and have thought about how you can back the change out if needed. openssl-0.9.8m will provide the corrected renegotiation mechanisms as described in=20 https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renego= tiate.txt However, 0.9.8m has not yet been released. I'd assume that this will probably be the subject of a FreeBSD Security Advisory once the fixes are available, and that supported FreeBSD branches will be updated to 0.9.8m or otherwise patched to the same effect in the base system. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig153885142E30B08B0AB1F060 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAksDn+AACgkQ8Mjk52CukIwG8gCfW9Tpgy6D64DA/Li2fzMUvv/g Yc8AoIdcA3UgLo8WvKt+Xq2kpD/dzI/R =D5I1 -----END PGP SIGNATURE----- --------------enig153885142E30B08B0AB1F060-- From owner-freebsd-security@FreeBSD.ORG Thu Nov 19 15:19:25 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7CAF21065694 for ; Thu, 19 Nov 2009 15:19:25 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 2F7708FC25 for ; Thu, 19 Nov 2009 15:19:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=codelabs.ru; s=two; h=Date:From:To:Cc:Subject:Message-ID: Reply-To:References:MIME-Version:Content-Type:In-Reply-To: Sender; bh=YWnYhRc/lKjzy1I1GuPDqSDmbOJU+ubZrRTxc5v+qS0=; b=cGS+U TaG8tKMzG63ZgOkdnQwLxs4xh9CHcdzhp7jfjJk7107NN/I4o9HRjdg6fBNGskc5 X/Yxe68UxstHFGUjr4X1c9k16XEsXo9m4ZWuCOj08/LiA+XRTTWyS+WBQnUxw1uB LoPa+bw7oyLmcMlRTLpEkbMgOwRf64z+Yb2qZwsk2xV48OtFGoD1QTKvffpkJpCO VFoKMgK3Wnq2m5GA19urbeA4Mj8c4DVnEF6yi0z/BTVaBdhyRnyTXR1FuOlidCt9 BF/0Vb5GPECzR+8wH/Fm9WYO9IMpbqEbw/veb9a9ehOumwvgAmiw865C59b1uq1y S+Z70ngKG+1WylCoQ== Received: from amnesiac.at.no.dns ([144.206.156.8]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1NB8n5-000J2n-Gk; Thu, 19 Nov 2009 18:19:23 +0300 Date: Thu, 19 Nov 2009 18:19:34 +0300 From: Eygene Ryabinkin To: Daniel Message-ID: References: <1e50fb510911170347t59ba964dhf3110980a5e70161@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1e50fb510911170347t59ba964dhf3110980a5e70161@mail.gmail.com> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org Subject: Re: Openssl TLS Reneg "Bug" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2009 15:19:25 -0000 Tue, Nov 17, 2009 at 12:47:14PM +0100, Daniel wrote: > new here so sorry if I am missing any important points. I was > wondering#: Does anyone know of the status of the "amended" openssl > packages for FreeBSD. I'd like to try running our site with "reneg > off", but I can't seem to find any notion of this on freebsd sites ? > Any ideas, pointers ? OpenSSL port was updated to 0.9.8l: http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/openssl/Makefile?rev=1.158;content-type=text%2Fx-cvsweb-markup OpenSSL in the base system wasn't patched, according to the svn.frebsd.org. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #