From owner-freebsd-security@FreeBSD.ORG Mon May 11 07:38:47 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 54DC75BD; Mon, 11 May 2015 07:38:47 +0000 (UTC) Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 20063191A; Mon, 11 May 2015 07:38:47 +0000 (UTC) Received: by oica37 with SMTP id a37so98077328oic.0; Mon, 11 May 2015 00:38:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=0ceFe/snchOTr/L74w8aGKkvTPvRyZZqrXrYTP/BdSg=; b=X+HUjE9SUinS3rYh265U1hVWnm/U663D4jX+mZ09YGsBPUXblB8dOO64IQWORy48r0 NarWGl1ZhSpfugahPCD9J72FgMIPQ3Wa712CQ42BVcNBDIe4OvuwloQjVt5G03ry+rhg R/Hd1kjK22ujlDFNJ0yaVAXK6r4pyy69eGcW4H5cdfSikbiVFUcuNR1is4lpVdNkZTGl rgGWpt63U1LxD2ply4go2xGScEvk/opM0pyjygjoz91iAUQMlCcDc299/Jn+2ExBxZfK STbAAviLCX5nWevvHz+cTh2pH30rr9MXKT9Hb9yWju8Fn7f+mQPBvRa3o0qjxepYj6ll T0gg== MIME-Version: 1.0 X-Received: by 10.60.82.4 with SMTP id e4mr7055240oey.42.1431329926287; Mon, 11 May 2015 00:38:46 -0700 (PDT) Received: by 10.182.18.7 with HTTP; Mon, 11 May 2015 00:38:46 -0700 (PDT) Date: Mon, 11 May 2015 09:38:46 +0200 Message-ID: Subject: Wrong security audit for mail/postfix ? From: Cristiano Deana To: FreeBSD Stable Mailing List , freebsd-security@freebsd.org, freebsd-ports@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 May 2015 07:38:47 -0000 Hi, this morning I got for my mailservers # pkg audit postfix-2.11.4,1 is vulnerable: postfix -- plaintext command injection with SMTP over TLS CVE: CVE-2011-0411 WWW: http://vuxml.FreeBSD.org/freebsd/14a6f516-502f-11e0-b448-bbfa2731f9c7.html postfix-2.11.4,1 is vulnerable: Postfix -- memory corruption vulnerability CVE: CVE-2011-1720 WWW: http://vuxml.FreeBSD.org/freebsd/3eb2c100-738b-11e0-89f4-001e90d46635.html But this is a bug from 2011, and it's blocking new install or updates of postfix packages. Who should be warned of this? Thank you. -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/ From owner-freebsd-security@FreeBSD.ORG Mon May 11 08:36:05 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D5921A04; Mon, 11 May 2015 08:36:05 +0000 (UTC) Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6D0621020; Mon, 11 May 2015 08:36:04 +0000 (UTC) Received: from [10.193.61.94] ([109.42.0.174]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MO7Ca-1YoRwG1VEy-005byR; Mon, 11 May 2015 10:35:56 +0200 User-Agent: K-9 Mail for Android In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: Wrong security audit for mail/postfix ? From: olli hauer Date: Mon, 11 May 2015 10:35:58 +0200 To: Cristiano Deana , FreeBSD Stable Mailing List , freebsd-security@freebsd.org, freebsd-ports@freebsd.org Message-ID: <35A69C37-F4ED-4235-8491-5F66E355592F@gmx.de> X-Provags-ID: V03:K0:cWXn3P5boDTf4vf7N7SjyHZosCJf4Qm4pKpMdUYcq7KKQC+qB6o KGbsl7WmRZJv1R2i3+eZdQxVbtxvyk3xkk8GFpvR3xSV1YzfB28R/AgE/yGkhX5xsCeMBQt DKS/OEqaQ0e97ZbRMr6JKcrzZnE0fN4SBZQtuyxjOGI67oD6v2SMGO49FDWu+jZedm2+7aX anR01PTCqaI92qVGub9rA== X-UI-Out-Filterresults: notjunk:1; X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 May 2015 08:36:05 -0000 On May 11, 2015 9:38:46 AM CEST, Cristiano Deana wrote: > Hi, >=20 > this morning I got for my mailservers >=20 > # pkg audit > postfix-2=2E11=2E4,1 is vulnerable: > postfix -- plaintext command injection with SMTP over TLS > CVE: CVE-2011-0411 > WWW: > http://vuxml=2EFreeBSD=2Eorg/freebsd/14a6f516-502f-11e0-b448-bbfa2731f9c= 7=2Ehtml >=20 > postfix-2=2E11=2E4,1 is vulnerable: > Postfix -- memory corruption vulnerability > CVE: CVE-2011-1720 > WWW: > http://vuxml=2EFreeBSD=2Eorg/freebsd/3eb2c100-738b-11e0-89f4-001e90d4663= 5=2Ehtml >=20 > But this is a bug from 2011, and it's blocking new install or updates > of postfix packages=2E >=20 > Who should be warned of this? >=20 > Thank you=2E Hi Cristiano, this should be fixed=2Emeanwhile=2E Please run the command=20 # pkg audit -F --=20 Regards, olli From owner-freebsd-security@FreeBSD.ORG Mon May 11 09:14:27 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 208F2E6F; Mon, 11 May 2015 09:14:27 +0000 (UTC) Received: from mail-ob0-x22c.google.com (mail-ob0-x22c.google.com [IPv6:2607:f8b0:4003:c01::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DCCD214E1; Mon, 11 May 2015 09:14:26 +0000 (UTC) Received: by obblk2 with SMTP id lk2so95369825obb.0; Mon, 11 May 2015 02:14:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4b+hDl0ZDI1qHCC/5bxxMVGeq/a2CrxqtnrsxzzvUdI=; b=aL8Mn/HLIOc9oPTnTrXwwhJBGrHYQVV0V0l88O55w5BmxrA5ch4fqOhx/3fVuvlMbU 5oRSBLGqYP17HR6caMCBpeYyrtIFAximb2jVZ2UzMNjcqKZTY6Bfw0yNaQHG3yqNJ48g BRnCbv8Fxq1ytRP6JbpqCLJyFYENqXYLu8ft0Wwsy2vwX3XsNypF3UclZgassK4PTyrl yWsENM6R6GOAEAcaUDhWvJztXjpKRlEIgFikQOZumvz2bq5ionP+QUIZf3N1G52b6UOV N+fm5OfZrGFWQ5OXNO3o5iSpKDqAFZIT/eZ1d1GZNByll4d+FEcf6TozAKG1jDEGtgWn /6BQ== MIME-Version: 1.0 X-Received: by 10.60.82.4 with SMTP id e4mr7271576oey.42.1431335666229; Mon, 11 May 2015 02:14:26 -0700 (PDT) Received: by 10.182.18.7 with HTTP; Mon, 11 May 2015 02:14:26 -0700 (PDT) In-Reply-To: <35A69C37-F4ED-4235-8491-5F66E355592F@gmx.de> References: <35A69C37-F4ED-4235-8491-5F66E355592F@gmx.de> Date: Mon, 11 May 2015 11:14:26 +0200 Message-ID: Subject: Re: Wrong security audit for mail/postfix ? From: Cristiano Deana To: olli hauer Cc: FreeBSD Stable Mailing List , freebsd-security@freebsd.org, freebsd-ports@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 May 2015 09:14:27 -0000 On Mon, May 11, 2015 at 10:35 AM, olli hauer wrote: Hi, > Hi Cristiano, > > this should be fixed.meanwhile. > > Please run the command > # pkg audit -F Confirmed, fixed. Thanks. -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/ From owner-freebsd-security@FreeBSD.ORG Wed May 13 13:36:17 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B4297D13 for ; Wed, 13 May 2015 13:36:17 +0000 (UTC) Received: from know-smtprelay-omc-2.server.virginmedia.net (know-smtprelay-omc-2.server.virginmedia.net [80.0.253.66]) by mx1.freebsd.org (Postfix) with ESMTP id 347CD1A1D for ; Wed, 13 May 2015 13:36:16 +0000 (UTC) Received: from THORIUM ([213.104.215.150]) by know-smtprelay-2-imp with bizsmtp id TRcF1q00t3FGC4d01RcGJ4; Wed, 13 May 2015 14:36:16 +0100 X-Originating-IP: [213.104.215.150] X-Spam: 0 X-Authority: v=2.1 cv=G86SErU5 c=1 sm=1 tr=0 a=BWCVJUppqCeJjHuQAqN8WA==:117 a=BWCVJUppqCeJjHuQAqN8WA==:17 a=kj9zAlcOel0A:10 a=6I5d2MoRAAAA:8 a=NLZqzBF-AAAA:8 a=Q5AbAaysxpCNgT-KvfsA:9 a=CjuIK1q_8ugA:10 a=frvxnMMPH8oA:10 a=fAoCJ-zber0A:10 a=maxG-38RcLAA:10 From: "James C Elstone" To: References: <35A69C37-F4ED-4235-8491-5F66E355592F@gmx.de> In-Reply-To: Subject: Forums.FreeBSD.org - SSL Issue? Date: Wed, 13 May 2015 14:36:33 +0100 Message-ID: <000b01d08d81$d40ffea0$7c2ffbe0$@c.elstone@ntlworld.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AdCLyuVGoBWnJrhJSIyhnBcqRfkZDgBtrXnA Content-Language: en-gb X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2015 13:36:17 -0000 Hi All, Can anyone confirm if the SSL key chain on forums.freebsd.org is OK? I'm getting a number of key chain errors with the Gandi key chain lacking intermediate CAs... Kr, James. From owner-freebsd-security@FreeBSD.ORG Wed May 13 13:48:19 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9EAD9118 for ; Wed, 13 May 2015 13:48:19 +0000 (UTC) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "patpro.net", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5D34D1BBB for ; Wed, 13 May 2015 13:48:18 +0000 (UTC) Received: from patpro.univ-lyon2.fr (patpro.univ-lyon2.fr [159.84.113.250]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by rack.patpro.net (Postfix) with ESMTPSA id BA452B85; Wed, 13 May 2015 15:43:06 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=patpro.net; s=201504-3edeac90; t=1431524587; bh=0tDxc+HJc2z4O93x0nYcNBFhRJvmcnIgGAtdh7rrFac=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=iy+7u6lynobiJhpk0bExD5APi0qX428hjfofFLKiz+iI893kByynYAnRiFMmggYzo kMzSM6utFcOFh05I2n1GpA9NwflyTzPG8DiAGDSWAXREGwIsJR1DZxbukg+Vdj71Z1 vp5lB0mUOP4SCQOC6+N9hWx3l6OdZ811Hbem5E9Ihy5IUNLN4PaOMfXzDuBN6+pm2G vCn3O90LNTDI+JhCr7GTVzE2bLSVmlZzM4gF3TM9u9WE2dXbfwBNmLlkAfehnKO+Kz PzaVHWRW389JarWlw6cenRQVNN4RDq5LlMegAJ0HQoJteo4Q0FRxklRh8UlxTR5byg mYRvx5WntdT/9CmqqXpvKi39zDCyZFCeTUSGL9wISrqL20ah8zOH3RHKvg7P9uqLRO 3vjhdWMUmU7YHa6ol/K5IW6Kd9lqIEzbHtt+KnkC6Pli6zKbZmWtEAhnwgrBE9tn/V UwN9T8oNs+Ngcub/zxADs+JNodPh8DnnhdwOBU7v2c2JNnHl0Si5x7NOc+rDd2SOnl A6wKvdHPx9uaXUaBJjW/biERJL4wSL5VfZ4eENZ5uUf64QaHXZ+XQ5dwFLurKEzFI5 aISiZa0G7jedELOjHvvvfm2Xev52C4SmLeqPRP5IG0XVK+avRhHdcwsZwfSmYn8o1P wutDPpzYJ/kQRKFaqkEgs83U= Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) Subject: Re: Forums.FreeBSD.org - SSL Issue? From: patpro@patpro.net In-Reply-To: <000b01d08d81$d40ffea0$7c2ffbe0$@c.elstone@ntlworld.com> Date: Wed, 13 May 2015 15:43:05 +0200 Cc: Content-Transfer-Encoding: quoted-printable Message-Id: References: <35A69C37-F4ED-4235-8491-5F66E355592F@gmx.de> <000b01d08d81$d40ffea0$7c2ffbe0$@c.elstone@ntlworld.com> To: James C Elstone X-Mailer: Apple Mail (2.1510) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2015 13:48:19 -0000 On 13 mai 2015, at 15:36, James C Elstone = wrote: > Can anyone confirm if the SSL key chain on forums.freebsd.org is OK? >=20 > I'm getting a number of key chain errors with the Gandi key chain = lacking > intermediate CAs... looks OK to me, no warning. My own web site uses Gandi Cert too, do you = see the same error on https://patpro.net ?=20 Have you submitted forums.freebsd.org to = https://www.ssllabs.com/ssltest/analyze.html ? cheers, patpro From owner-freebsd-security@FreeBSD.ORG Wed May 13 17:13:51 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E24DDC93 for ; Wed, 13 May 2015 17:13:51 +0000 (UTC) Received: from eu1sys200aog103.obsmtp.com (eu1sys200aog103.obsmtp.com [207.126.144.115]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 523941A49 for ; Wed, 13 May 2015 17:13:50 +0000 (UTC) Received: from mail-wi0-f169.google.com ([209.85.212.169]) (using TLSv1) by eu1sys200aob103.postini.com ([207.126.147.11]) with SMTP ID DSNKVVOGOHSTsSL6ecf3CiXvFc+SivGpa1KS@postini.com; Wed, 13 May 2015 17:13:51 UTC Received: by mail-wi0-f169.google.com with SMTP id k4so207649319wiz.1 for ; Wed, 13 May 2015 10:13:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=9mFhpah3u06nMYRpVTYEvNO2t5kqRCH2yVg+aflLazg=; b=PHwz100ot7LEJpwYN+uSYmsDuiR1ZhZ9vxnooCOhfEbjv5UkRELIDOoj3/cDEQRk5i X09zXFVa7A2+2YuQI6BpygnvgzDNaTcNvOj5s6Na7K1t1l84d4pKKHy11ytisiZTNQ/r 1aVUqQmOtVVG6+ztsubr9AWNvpbpzQPd4b+vQP0kzzFxme986a2VI5jaaYqbRroQILzO R5dPWg8Z2KNgVRfww6rmT0zXL/hnBPape028uoNFS0GHTtyNJEphIt7z8ekGky2Kh7Fo DlNeKA4tIyneQc7oQtppFop+yS1TGR76RqNt/AtFXhpdhKetm69Uf4TkprbFpHZmisfp 2wyg== X-Received: by 10.194.89.130 with SMTP id bo2mr39703889wjb.17.1431527370057; Wed, 13 May 2015 07:29:30 -0700 (PDT) X-Gm-Message-State: ALoCoQkENdFNE/v+m9TdCtthWaLvimKNKKcCcblrETNes6y6JqwGnaHxpcopV6CupPohf2Pd5Gp/vgfAuI04RgO+CBxulNdjF9xNqzuy9Cl6zXGnjl2AI7Vpo/gFWgzVPNgzOHyi5dXliK2pNnjq8MrHV4ybF4sMcF1F2/8AQmbjtJVDLiz+4Vc= X-Received: by 10.194.89.130 with SMTP id bo2mr39703859wjb.17.1431527369848; Wed, 13 May 2015 07:29:29 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.14.161 with HTTP; Wed, 13 May 2015 07:29:09 -0700 (PDT) From: Paul Franklin Date: Wed, 13 May 2015 15:29:09 +0100 Message-ID: Subject: Re: Forums.FreeBSD.org - SSL Issue? To: freebsd-security@freebsd.org Cc: james.c.elstone@ntlworld.com Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2015 17:13:52 -0000 Hi James, Yes I agree, it looks like the wrong intermediate cert has been used... Certificate: Subject: CN=forums.freebsd.org Issuer: CN=Gandi Standard SSL CA 2 Intermediate: Subject: CN=Gandi Standard SSL CA The certificate issuer CN doens't match the intermediate subject CN (note the missing 2) Regards, Paul. This e-mail message including any attachment(s) is intended for the addressee only and may be confidential. If you are not the intended addressee, we request that you notify us immediately and delete this e-mail including any attachment(s), without copying, forwarding, disclosing or using this (these) in any other way. Registered Name: The Grass Roots Group UK Ltd Place of Incorporation: England & Wales Registered Office: Pennyroyal Court, Station Road, Tring, Herts. HP23 5QY Registered No.: 4155659 From owner-freebsd-security@FreeBSD.ORG Wed May 13 19:28:45 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E468883A for ; Wed, 13 May 2015 19:28:45 +0000 (UTC) Received: from eu1sys200aog123.obsmtp.com (eu1sys200aog123.obsmtp.com [207.126.144.155]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 53CDB1ADA for ; Wed, 13 May 2015 19:28:44 +0000 (UTC) Received: from mail-wi0-f175.google.com ([209.85.212.175]) (using TLSv1) by eu1sys200aob123.postini.com ([207.126.147.11]) with SMTP ID DSNKVVOl1nsrhQCzisKRGym140VrtmzCf3N5@postini.com; Wed, 13 May 2015 19:28:45 UTC Received: by mail-wi0-f175.google.com with SMTP id di4so68311865wid.0 for ; Wed, 13 May 2015 12:28:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=tUJwB6Q5W+K+uqJGC2tEfjvkkG0tGMaxuVZEgDAYzwY=; b=UkjStnrVxVhLEIc0RJfp9HuQOFV0OjEsOoJz0RyRoKbDcYGHCdUEbVr06OcTNh+iEi OiUKnZHGcrEGAmqXmACH5Bd7cnsjwhhXI7QjNfhtqow9d+bMRbsd9iAZ0KFPPbsq/YI8 dykicRqm8NuIntJnUUzcp1ucDusE9j14AoTVyPiVIvnov0MK5b1I1hrKnrjFFcEXWrO/ 3J2MLfmvV1/hTlJvO2vbqNeqopZcJ2wq8UbYRSMvfxwrKYq/qM6iJQimvd/aPxSnGNVT JfuaWeAmgBdOVpW8mtT91mBCJDQkt9XhOlj1GmF99CcQRTILma/i6SS1/j9f7Kiqllq9 xCUQ== X-Received: by 10.180.14.135 with SMTP id p7mr15441140wic.8.1431531094984; Wed, 13 May 2015 08:31:34 -0700 (PDT) X-Gm-Message-State: ALoCoQm3zqu7FlsLRia5RVHVFdN6eFbPm9ioss8Ban9ZYtyN4gDGW+ABhBQ7TbYfSXcsgcTksCi3y8ouyLj7vvKtrJSjxlVE+3zjvmXJ7Ubpqfn4zd44JclddjyHxRKpekY+sYJ/SoKGb+/GgrG+6QzjeMqr0V+kaXOLlj7Lo0Dntmlj4J84J4s= X-Received: by 10.180.14.135 with SMTP id p7mr15441066wic.8.1431531094434; Wed, 13 May 2015 08:31:34 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.14.161 with HTTP; Wed, 13 May 2015 08:31:14 -0700 (PDT) From: Paul Franklin Date: Wed, 13 May 2015 16:31:14 +0100 Message-ID: Subject: Forums.FreeBSD.org - SSL Issue? To: freebsd-security Cc: "james.c.elstone" Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2015 19:28:46 -0000 >> Hi All, >> Can anyone confirm if the SSL key chain on forums.freebsd.org is OK? >> I'm getting a number of key chain errors with the Gandi key chain lacking >> intermediate CAs... >> Kr, >> James. > > > Hi James, > Yes I agree, it looks like the wrong intermediate cert has been used... > Certificate: > Subject: CN=forums.freebsd.org > Issuer: CN=Gandi Standard SSL CA 2 > Intermediate: > Subject: CN=Gandi Standard SSL CA > The certificate issuer CN doens't match the intermediate subject CN > (note the missing 2) > Regards, > Paul. Hi all, This seems to have been resolved now James, please can you also confirm that you're no longer seeing the errors? It looks good to me Thanks, Paul. This e-mail message including any attachment(s) is intended for the addressee only and may be confidential. If you are not the intended addressee, we request that you notify us immediately and delete this e-mail including any attachment(s), without copying, forwarding, disclosing or using this (these) in any other way. Registered Name: The Grass Roots Group UK Ltd Place of Incorporation: England & Wales Registered Office: Pennyroyal Court, Station Road, Tring, Herts. HP23 5QY Registered No.: 4155659 From owner-freebsd-security@FreeBSD.ORG Wed May 13 21:45:08 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6B6FD5C1 for ; Wed, 13 May 2015 21:45:08 +0000 (UTC) Received: from briareus.schulte.org (briareus.schulte.org [198.204.225.190]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 38DB51A98 for ; Wed, 13 May 2015 21:45:08 +0000 (UTC) Received: from briareus.schulte.org (localhost [127.0.0.1]) by briareus.schulte.org (Postfix) with ESMTP id 39D331283B; Wed, 13 May 2015 16:44:01 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=schulte.org; h=from:to :cc:subject:date:message-id:references:in-reply-to:content-type :mime-version; s=20130123; i=christopher@schulte.org; bh=FA2xiP+ Cw8qipuUhjRUMp6SZzsgHXsIb70FuqDb5AQI=; b=oqrOd3fw+nuUY2XaflBjiVR CTWC4gZm8pW3TVhlXQWq739BXliLYIO33l4kgLbOeqbKNlZdahkdghcqu0j8HKYQ VX8dHLLCM5igHDBsGsyLbHerQ0T0zPGCkOXmwGcTSlCigYn5OxpUz7Ng/HMHgoYb JVdoeRoMLftV9Araiwco= x-schulte-info1: relayed through postfix client submission Received: from exchange2013.windows2012r2.schulte.org (10.200.1.188) by exchange2013.windows2012r2.schulte.org (10.200.1.188) with Microsoft SMTP Server (TLS) id 15.0.847.32; Wed, 13 May 2015 16:44:00 -0500 Received: from exchange2013.windows2012r2.schulte.org ([fe80::695c:2eae:3d60:8cd7]) by exchange2013.windows2012r2.schulte.org ([fe80::695c:2eae:3d60:8cd7%16]) with mapi id 15.00.0847.030; Wed, 13 May 2015 16:44:00 -0500 From: Christopher Schulte To: Paul Franklin CC: "freebsd-security@freebsd.org" , "james.c.elstone@ntlworld.com" Subject: Re: Forums.FreeBSD.org - SSL Issue? Thread-Topic: Forums.FreeBSD.org - SSL Issue? Thread-Index: AQHQjYksd5yFNg2CT0KEUKGfJDHR1J16xJQA Date: Wed, 13 May 2015 21:43:59 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-schulteexchange-note1: origination IP removed Content-Type: multipart/signed; boundary="Apple-Mail=_1DDE75A2-EE18-4E2F-8D96-78B24D432159"; protocol="application/pkcs7-signature"; micalg=sha1 MIME-Version: 1.0 X-Virus-Scanned: ClamAV using ClamSMTP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2015 21:45:08 -0000 --Apple-Mail=_1DDE75A2-EE18-4E2F-8D96-78B24D432159 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On May 13, 2015, at 9:29 AM, Paul Franklin = wrote: >=20 > Hi James, >=20 > Yes I agree, it looks like the wrong intermediate cert has been = used... >=20 > Certificate: > Subject: CN=3Dforums.freebsd.org > Issuer: CN=3DGandi Standard SSL CA 2 >=20 > Intermediate: > Subject: CN=3DGandi Standard SSL CA >=20 > The certificate issuer CN doens't match the intermediate subject CN > (note the missing 2) I=E2=80=99ll chime here with a related resource I use from time to time, = specifically with regard to website TLS/SSL certs. First, see: = http://perspectives1.schulte.org:8080/?host=3Dforums.freebsd.org&port=3D44= 3&service_type=3D2& Which is designed to be used with the Perspectives web browser plugin, = allowing supported browsers to query a set of trusted notary servers in = real time, comparing the certs (well, actually just the fingerprint of = the certs) stored in the notary servers with with the browser sees. = That can be used to potentially detect MITM attacks, even those using = trusted-CA-issued certs with would pass the browser=E2=80=99s trust = test. Separate from using it in-line with my web browser to help secure my = day-to-day browsing, I from time-to-time also manually query one of my = notaries, looking for cert history for a given target site. In this = case, it quickly allowed me to see that a new cert appears to have been = installed recently on the forums site, replacing the old one which had = been used since October of last year. It=E2=80=99s a slick tool. I use it along with other tools that query = things like DANE/DNSSEC properties (BTW: thanks, FreeBSD, for publishing = signed TLSA records!). You can see more about my Perspectives setup at = https://noc.schulte.org/perspectives.html, which also has a link to the = project=E2=80=99s homepage. You can pull down the server code and setup = your own set of trusted servers. I spread mine out across different = networks, improving the chance of detecting malicious activity. > Regards, > Paul. Chris --Apple-Mail=_1DDE75A2-EE18-4E2F-8D96-78B24D432159 Content-Disposition: attachment; filename="smime.p7s" Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMZDCCBdkw ggPBoAMCAQICBxVsRjc7CPAwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoT DVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25p bmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAxNDIx MDI1NVoXDTIyMTAxNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBM dGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQD Ey9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L 3aTxErQ+fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lR P1aycBke/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9Ye jvAXZqHksw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy 6FZH3XHHtOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEA AaOCAUwwggFIMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSu VYNv7DHKufcd+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBpBggr BgEFBQcBAQRdMFswJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAwBggr BgEFBQcwAoYkaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvY2EuY3J0MDIGA1UdHwQrMCkw J6AloCOGIWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDBDBgNVHSAEPDA6MDgGBFUd IAAwMDAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjANBgkq hkiG9w0BAQsFAAOCAgEAlNgU+n+Oa32jTcNKByC/CBnMaaLdHWp0mfjIiY4fKs6/0fyn31Is8lYD IepA+ll5CtSyIF3NkhbuSmrvWbiXJQxHFO/nuT9I6xz4ecry2XmoAhLDL4el2zDzG3lsJUal9jlG OSu7vxw5B6/yBObE9IyfT6dWcStO1GjEum8MTozsM4VUGUrm5er2IcVHn6k9ilNV8oTqFAtha3VC If6ma8sHftsPHviEagSIyg0L9cVbBIFBxyNfYF8a42QFL1gexHlbPGqDrBFZLAH4C/cAWpOCNpF+ gOgwE/omOBVwBdk7S+G/CDDdWvtUvG7nEDplx4eV9PHIS4lX7uRfSqQEEnp9FNhyyF3a5tP911Jf KVCG8pVZIp0OEqHXpSHR+c8zGxg+vcuE/KdAdlZl/zK0XJH6//B8xIP+sXIHug1sP5W4LVbibTwb iyoNwShVLfyoSKqhZnueGPFPBnQKDw10KtlQ1P0Dt5fXZ/CJMtGO0AdAOrarYmT72ZPhrhKfiBFa K8Z1AlqEegX6tW5/mzAWiv6PN0uDvL5TKol6vydP5X7xvlOyxv4984RwpahljlmIi0KOfo45nPMB kn9f2X9JcS8wjo7XRJU0KTunuwmqg1tPKEZ7HzR3jDFXCUZNDHZE6m164CDyYjDP8Nhdh2sQl20e tvpqH3/Lrjy7aqdRotQwggaDMIIFa6ADAgECAgI/ezANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENl cnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRl cm1lZGlhdGUgQ2xpZW50IENBMB4XDTEzMTIwMTAwMjcxNFoXDTE1MTIwMjE3MTQyMFowgZoxGTAX BgNVBA0TEFRUOUdkOUI0RjIxaDh2U0MxCzAJBgNVBAYTAlVTMRIwEAYDVQQIEwlNaW5uZXNvdGEx FjAUBgNVBAcTDUJyb29rbHluIFBhcmsxHDAaBgNVBAMTE0NocmlzdG9waGVyIFNjaHVsdGUxJjAk BgkqhkiG9w0BCQEWF2NocmlzdG9waGVyQHNjaHVsdGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAso+G404JkrQIxKHOfTq15BEaQcWdBDbR8hihftKkEfZQExsH0iCoi/VpLzsQ Kea9ldkz3MSIfJGg5kckFtfwb/gkFq4KS7wC0B/FP65bdcKpLaBc6x8Hxk27MChoO1KF1PMR4q5F 4TqSPQGGwjehopeBFwtw4ah6VwNnbB9FkYSmy5bzKKJ2uFovzXmn1nz6tyWp/pa4z+2kqESzRtSr U8apDCdbw+Xtl2mgQZOXi8AdhBGr2tSjqWhWeZnSHfHl6q49hAJLPVgymapyiu09gcoebVjjZiFX yq0x/ufYL5DzSvzdQIyNu3Bljkm5X66W+mTt2Y6aJi4SJ4mzfxfzEQIDAQABo4IC3TCCAtkwCQYD VR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1Ud DgQWBBR185DC0GGoCAcoQ4psKVjpddjz3zAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOs uzAiBgNVHREEGzAZgRdjaHJpc3RvcGhlckBzY2h1bHRlLm9yZzCCAUwGA1UdIASCAUMwggE/MIIB OwYLKwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w b2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUg Q2xhc3MgMiBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5 LCByZWxpYW5jZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9m IHRoZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8v Y3JsLnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUF BzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYB BQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNh LmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQAD ggEBADkFdQaRJ/aSHKds1KEAboxXG9rT8ac+Fqe2Y179nRiaQSfadJNglW5qlakaIm6XvSuBt79j RzHRwXpdpCqVnhg495YhTcIjTe8xp+kD7yUEXzp1eyk9OU2af9dIiqli/ZyuQ5YhkUpb8ap5KIfC hqOI2292+8sLRkW4vuFwwdAP9qFny99r5zw7rhYX1WyqEMxIu7QQ+8jWkspZXKPok8WXhgPnslxf NZTezAkzEvmk+TPCMZT0QVQx2dGY1cOhYSbFVSCaS7RxvjJQfKeQcbgEEKD4tWfPcYdjmxwH1t6a +p1+lUfYEJutyUGbZHOvD1cJ1YTH1xR/A2jjDpqDDQsxggNsMIIDaAIBATCBkzCBjDELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENl cnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRl cm1lZGlhdGUgQ2xpZW50IENBAgI/ezAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZI hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNTA1MTMyMTQzNTlaMCMGCSqGSIb3DQEJBDEWBBS7+lKx 1MIu3WvEdMY7MCuBmCr8HzCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQG A1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUg U2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBD bGllbnQgQ0ECAj97MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgI/ezANBgkqhkiG9w0BAQEFAASCAQA/rCy6lnca/AdNMfWCBwToCL1dxPEa3F6nJZdf ZPXmwIek13Qq23FEKIxuKn8qSMNFmKdY0tgAA0R6j0f+Whg/eSnHTEuNqsaGKjppvbuYnG9NCUjp N/FrO+Xd8GzS6mvRqIKfm7xBy8Ho1vHQhBXhYTwIzkJwmvYxoSA9LfaQmDCmoaMa/yvrvLDiFwNf DwFZ7Cd8JVC99eJxoUjslZfZ3M8kLB4I0WwpuIETDAQNOYbjM5W6+kGJvPwNFJnIWzci8FpfoTbH djuCtqOhEOnSBGQWgQyR/qxNVAOc8DBznpT22rWB2Lv/R1ny2g8jKy3l9SZUuARIi5G7FWJ0UfoY AAAAAAAA --Apple-Mail=_1DDE75A2-EE18-4E2F-8D96-78B24D432159-- From owner-freebsd-security@FreeBSD.ORG Wed May 13 21:46:24 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 066336CC for ; Wed, 13 May 2015 21:46:24 +0000 (UTC) Received: from mail.modirum.com (mail.modirum.com [31.185.27.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B92A51ABA for ; Wed, 13 May 2015 21:46:23 +0000 (UTC) Received: from 183-45-11.connect.netcom.no ([176.11.45.183] helo=[10.224.172.182]) by mail.modirum.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.85 (FreeBSD)) (envelope-from ) id 1Yse3K-0007JB-Gs; Wed, 13 May 2015 21:18:54 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: Forums.FreeBSD.org - SSL Issue? From: Anders Gulden Olstad X-Mailer: iPhone Mail (12F70) In-Reply-To: Date: Wed, 13 May 2015 23:18:53 +0200 Cc: "freebsd-security@freebsd.org" , "james.c.elstone@ntlworld.com" Content-Transfer-Encoding: quoted-printable Message-Id: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> References: To: Paul Franklin X-SA-Authenticated: Yes X-SA-Exim-Connect-IP: 176.11.45.183 X-SA-Exim-Mail-From: anders.olstad@modirum.com X-SA-Exim-Scanned: No (on mail.modirum.com); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2015 21:46:24 -0000 Qualys report chain issues Sent from my iPhone > On 13 May 2015, at 16:29, Paul Franklin wrote: >=20 > Hi James, >=20 > Yes I agree, it looks like the wrong intermediate cert has been used... >=20 > Certificate: > Subject: CN=3Dforums.freebsd.org > Issuer: CN=3DGandi Standard SSL CA 2 >=20 > Intermediate: > Subject: CN=3DGandi Standard SSL CA >=20 > The certificate issuer CN doens't match the intermediate subject CN > (note the missing 2) >=20 >=20 > Regards, > Paul. > This e-mail message including any attachment(s) is intended for the addres= see only and may be confidential. If you are not the intended addressee, we r= equest that you notify us immediately and delete this e-mail including any a= ttachment(s), without copying, forwarding, disclosing or using this (these) i= n any other way. >=20 > Registered Name: The Grass Roots Group UK Ltd Place of Incorporation: Engl= and & Wales > Registered Office: Pennyroyal Court, Station Road, Tring, Herts. HP23 5QY > Registered No.: 4155659 >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org= " From owner-freebsd-security@FreeBSD.ORG Thu May 14 08:28:31 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E48F0EC8 for ; Thu, 14 May 2015 08:28:31 +0000 (UTC) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "patpro.net", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A40731F09 for ; Thu, 14 May 2015 08:28:31 +0000 (UTC) Received: from [192.168.0.2] (boleskine.patpro.net [82.230.142.222]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by rack.patpro.net (Postfix) with ESMTPSA id EDFD7E26; Thu, 14 May 2015 10:28:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=patpro.net; s=201504-3edeac90; t=1431592108; bh=mYCe9Yp9mibitFizaNUHQtvqH2a37GA4XyuIrvQ9TEk=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=4RP+dakzOfb1cGQGDXN+prwyviI+ymxq1vLcTn3roeaypVlFk+rkfWdP29R++bCuP O+nhu4Cz2/zoXBwjTS53AIsxmGYYTk/ejpQSro6KFIOdRmw7p0Y9ExLW1G4UAIFoRB rWyCdoRkhysXl/UPHgocmE93OsIn2Y/3knNnRcfqvWj55Q3k+FUCj29td9ct4Ffedh S07RdZSaQK7PjLJksup5/BR7ATRYpiG1EFVNCQntY7OxgxoAyN5hWp3lSCmJfG5Z4e MiP2JwiwAZTO/IpNkMuhtjsgDb63RCL3gJdo5sqRjZ3a6VIdyWYgYEuTru9AJM0+m9 Gc3dt83VQPx1ZBfE2jAUtIU8Er4PVxGHqktoBtRjsPXT+lA+byL9LXv3AL049omJLl 7h5cIcsVUPqt18dfmzoKDKu2YqL4VnqzdXuNtCySTw1u3a5BMk9s1LDTh6efXcPzsx w/LPoqUHtg5xUbtJkkzwOveFDmXRd4G8+J4WthBZ95sBg3m/f8ApIPj8lxhEy4bSkD kd2qHqxCTqFd4n86xNH0hZY1ZU+43F05NxcO/VxraHkfQtKMYOc4T3pzs5z3wcB7mN rvePUe0tcQsUeRB4bvaDetBk/TFVCiCdmBmGTlDMwFRQlHhIkLJPPik41vGtkFE+Dn 3cqB027RneEMDZbSJCAEebcY= Subject: Re: Forums.FreeBSD.org - SSL Issue? Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: text/plain; charset=us-ascii From: Patrick Proniewski In-Reply-To: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> Date: Thu, 14 May 2015 10:28:27 +0200 Cc: Liste FreeBSD-security Content-Transfer-Encoding: quoted-printable Message-Id: <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> To: Anders Gulden Olstad X-Mailer: Apple Mail (2.1085) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2015 08:28:32 -0000 On 13 mai 2015, at 23:18, Anders Gulden Olstad wrote: > Qualys report chain issues that's pretty odd, because I've checked too just after sending my reply = to the list (message id = A2D58CCB-8B0A-40FF-9ED1-89B698A830DD@patpro.net), and Qualys reported no = issues at all about the chain. That was about 7-8 hours before your = message. But well, the global note was B at this time, and now it's A+. They = obviously upgraded TLS from 1.0 to 1.2, ditched support for "old" = browsers, and made other cipher tuning. Good job admins (though I would = have been a bit more conservative about browser support). regards, patpro= From owner-freebsd-security@FreeBSD.ORG Thu May 14 10:02:30 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 05426CAE for ; Thu, 14 May 2015 10:02:30 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 68F0C1B94 for ; Thu, 14 May 2015 10:02:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t4EA2HMr061703; Thu, 14 May 2015 20:02:17 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 14 May 2015 20:02:17 +1000 (EST) From: Ian Smith To: Patrick Proniewski cc: Anders Gulden Olstad , Liste FreeBSD-security Subject: Re: Forums.FreeBSD.org - SSL Issue? In-Reply-To: <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> Message-ID: <20150514193706.V69409@sola.nimnet.asn.au> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2015 10:02:30 -0000 On Thu, 14 May 2015 10:28:27 +0200, Patrick Proniewski wrote: > On 13 mai 2015, at 23:18, Anders Gulden Olstad wrote: > > > Qualys report chain issues > > that's pretty odd, because I've checked too just after sending my > reply to the list (message id > A2D58CCB-8B0A-40FF-9ED1-89B698A830DD@patpro.net), and Qualys reported > no issues at all about the chain. That was about 7-8 hours before > your message. > > But well, the global note was B at this time, and now it's A+. They > obviously upgraded TLS from 1.0 to 1.2, ditched support for "old" > browsers, and made other cipher tuning. Good job admins (though I > would have been a bit more conservative about browser support). Well, I can't reach https://forums.freebsd.org/ at all at the moment, my (admittedly ancient, on 8.2) SeaMonkey now consistenly reports: "Data Transfer Interrupted The connection to forums.freebsd.org has terminated unexpectedly. Some data may have been transferred." .. which I found pretty weird as I'd read this post - also not reachable now, of course - at 03:20 this morning, ie 17:20 UTC on 13th May: https://forums.freebsd.org/threads/virtualbox-4-3-26-wont-start.51341/ I checked 'forums.freebsd.org' at https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org which is currently showing: "The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B." That report also shows "Valid from Tue, 12 May 2015 00:00:00 UTC Valid until Tue, 17 May 2016 23:59:59 UTC (expires in 1 year)" although my successful access at 03:20 this morning above was over 41 hours later than that Server Key and Certificate #1 date. Hopefully a temporary glitch, though I rarely refer to the forums. No similar issue with https://www.freebsd.org/ luckily (a matter of time?) cheers, Ian From owner-freebsd-security@FreeBSD.ORG Thu May 14 10:41:07 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A093D81E for ; Thu, 14 May 2015 10:41:07 +0000 (UTC) Received: from thor.freshdata.pl (thor.freshdata.pl [148.251.122.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 634841100 for ; Thu, 14 May 2015 10:41:06 +0000 (UTC) Received: from dhcp46-187-149-223.eaw.com.pl ([46.187.149.223] helo=[192.168.2.100]) by thor.freshdata.pl with esmtpa (Exim 4.82_1-5b7a7c0-XX (FreeBSD)) (envelope-from ) id 1YsqEw-000CS3-JO for freebsd-security@freebsd.org; Thu, 14 May 2015 12:19:42 +0200 Message-ID: <555476CB.2010005@ivpro.net> Date: Thu, 14 May 2015 12:19:55 +0200 From: Adam Major User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> In-Reply-To: <20150514193706.V69409@sola.nimnet.asn.au> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2015 10:41:07 -0000 Hello I checked now by sslLabs.com: https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org and score is A+ But I don't think disable TLS 1.0 is ok. In test result paragraph: Handshake Simulation is informations that page will not work on: - Android 4.3 (and older) - IE 6,7,8 on XP/Vista - IE 8-10 on Win7 (TLS > 1.0 is disabled in default browser config) - old Java Very nice Web browser Secure protocols table: https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers Best Regards. From owner-freebsd-security@FreeBSD.ORG Thu May 14 10:44:23 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C3B52ACB for ; Thu, 14 May 2015 10:44:23 +0000 (UTC) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "patpro.net", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 83EF01141 for ; Thu, 14 May 2015 10:44:23 +0000 (UTC) Received: from [192.168.0.2] (boleskine.patpro.net [82.230.142.222]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by rack.patpro.net (Postfix) with ESMTPSA id C6EA9E71; Thu, 14 May 2015 12:44:20 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=patpro.net; s=201504-3edeac90; t=1431600260; bh=rzAdlcnOdc8zlHkRNJ+zRH0Cnzmpe4yUVSP09LH+s9w=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=crStgel2xnJEov1zBK9HpZ6PkCTE84ifixcDIHW6hybtMicaT7UVthrrOjC2Z4fMe DR1Ld3+xP85GV8yinKe+G9NxqeJ1+HOAFkdvTN4IX6FXgJVhSP6+ckqriOxzPQr9qa 1DiHoFbQn9+HIfA0pv8OucG3Ligfw5UPdmC1n+oytjoUG/Ob+qzuv5r0cVC094fzkT Igmvu/umQz9KG/KVG7E5Co8We5CuERLHAgHqGoMhVaXqOqtNn8foh9NiGMiqVdMA2B fHgrPmUS6MAKo2jFxsf5jeutL/yX8fUlylvgvbm3rkV4c0sN4BLAf000dQXevDuMvV uGeUZWXiMFsvYVbWnm8q+gtTCUFFXAcUTH1lWgHRG0PuD3llEH73N1ep9qPaSV8dxk llWbJiwdVVIGO3924eAGKp7ChihZfIYcOeCnU75gTcahvLPjD4ex6WQivgzghpSMKS L4N1Kt7lSjStNXRAfiRjtW7pB5exmeRK+erHYnoLu3mW453uHC/aH2BVbLuwKD5SD+ LlewZ2c+dI+OR6BJyyxi++1Pjg5UdBwgubwAVeRFsGMhpXVHvZ6TqZdrw8x3RECcKN mF/JGtk5y7Hs+m/6tObIbWq/gIA9KS4nZKIVNuuDmACQmEL30AbAbuz8r7Aw8phiW/ kIWMXpbUrL4Qsx03w7ELTWCc= Subject: Re: Forums.FreeBSD.org - SSL Issue? Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: text/plain; charset=us-ascii From: Patrick Proniewski In-Reply-To: <20150514193706.V69409@sola.nimnet.asn.au> Date: Thu, 14 May 2015 12:44:20 +0200 Cc: Liste FreeBSD-security Content-Transfer-Encoding: quoted-printable Message-Id: References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> To: Ian Smith X-Mailer: Apple Mail (2.1085) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2015 10:44:23 -0000 On 14 mai 2015, at 12:02, Ian Smith wrote: > Well, I can't reach https://forums.freebsd.org/ at all at the moment, = my=20 > (admittedly ancient, on 8.2) SeaMonkey now consistenly reports: >=20 > "Data Transfer Interrupted > The connection to forums.freebsd.org has terminated unexpectedly. Some=20= > data may have been transferred." looks like your browser/OS does not support TLS 1.2. > I checked 'forums.freebsd.org' at=20 > https://www.ssllabs.com/ssltest/analyze.html?d=3Dforums.freebsd.org = which=20 > is currently showing: "The server supports only older protocols, but = not=20 > the current best TLS 1.2. Grade capped to B." I've printed the report as PDF: http://patpro.net/~patpro/SSL-Server-Test-forums.freebsd.org.pdf You can see what I see : grade A+, TLS 1.2 only, hence poor support for = old browser (more like old openssl) regards, patpro= From owner-freebsd-security@FreeBSD.ORG Thu May 14 11:10:19 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4C99555E for ; Thu, 14 May 2015 11:10:19 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6881F13BE for ; Thu, 14 May 2015 11:10:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t4EBACRO064014; Thu, 14 May 2015 21:10:12 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 14 May 2015 21:10:12 +1000 (EST) From: Ian Smith To: Adam Major cc: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? In-Reply-To: <555476CB.2010005@ivpro.net> Message-ID: <20150514205215.X69409@sola.nimnet.asn.au> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2015 11:10:19 -0000 On Thu, 14 May 2015 12:19:55 +0200, Adam Major wrote: > Hello > > I checked now by sslLabs.com: > https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org > > and score is A+ Ah, so it is now .. it was still B only half an hour ago :) > But I don't think disable TLS 1.0 is ok. If that's why I still can't connect to https://forums.freebsd.org/ then no, it's not too friendly. Was/Is it really necessary to disable it? cheers, Ian > In test result paragraph: Handshake Simulation is informations that > page will not work on: > - Android 4.3 (and older) > - IE 6,7,8 on XP/Vista > - IE 8-10 on Win7 (TLS > 1.0 is disabled in default browser config) > - old Java > > > Very nice Web browser Secure protocols table: > > https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers > > > Best Regards. From owner-freebsd-security@FreeBSD.ORG Thu May 14 11:31:51 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 91DEFC64 for ; Thu, 14 May 2015 11:31:51 +0000 (UTC) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1F845171B for ; Thu, 14 May 2015 11:31:50 +0000 (UTC) X-SubmittedBy: id 100000045929 subject /C=CZ/O=Univerzita+20Karlova+20v+20Praze/CN=Dan+20Lukes/unstructuredName=100000045929 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20Personal+20CA+202 auth type TLS.MFF Received: from [172.20.1.29] (fw.ax.cz [77.240.102.126]) (authenticated) by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id t4EBVfvD001629 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Thu, 14 May 2015 13:31:47 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <5554879D.7060601@obluda.cz> Date: Thu, 14 May 2015 13:31:41 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1 MIME-Version: 1.0 To: Liste FreeBSD-security Subject: Re: Forums.FreeBSD.org - SSL Issue? References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2015 11:31:51 -0000 Patrick Proniewski wrote: >> "Data Transfer Interrupted >> The connection to forums.freebsd.org has terminated unexpectedly. Some >> data may have been transferred." > > looks like your browser/OS does not support TLS 1.2. I'm confused by FreeBSD policy, a lot. Base OpenSSL in still supported releases is too old version and doesn't support TLS 1.2 as well. Either TLS 1.0 is so insecure and should not be used, or is secure enough for FreeBSD. In the first case the base OpenSSL should be updated to something more recent (so dangerous TLS 1.0 only should be considered security issue). In the second case I see no reason to disable TLS 1.0 on https://forums.freebsd.org - regardless the Qualsys rating. I don't care which solution will be selected. Just my $0.02 Dan From owner-freebsd-security@FreeBSD.ORG Thu May 14 13:08:07 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4E757AAA for ; Thu, 14 May 2015 13:08:07 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 236B316A3 for ; Thu, 14 May 2015 13:08:06 +0000 (UTC) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id E565220774 for ; Thu, 14 May 2015 09:08:05 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute6.internal (MEProxy); Thu, 14 May 2015 09:08:05 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=G4y4mF6c0KZPxAS LVM+JNtjrFa4=; b=R5fMRnqP4UV7hL/7i6QskQIBEJK1HvngbSYbaEBhPwZNj8t nZc5jVDsuv1DmUO5gx9lWHw2ImPeHmhV+cKLRfPi9O3CwRXvwfZRuqI/3N0wroYh ComJC2ijIDBoM7c1gGQurfBacWBVMTmX+3IZftMqJcB1OkSyGlIsKfVn/bnA= Received: by web3.nyi.internal (Postfix, from userid 99) id C526F118AA8; Thu, 14 May 2015 09:08:05 -0400 (EDT) Message-Id: <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> X-Sasl-Enc: U1zMwNCkpRBggFNIKydFMtGBMj/8Hmg4BWbywcVSUz/O 1431608885 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e7ca9928 Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Thu, 14 May 2015 08:08:05 -0500 In-Reply-To: <555476CB.2010005@ivpro.net> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2015 13:08:07 -0000 On Thu, May 14, 2015, at 05:19, Adam Major wrote: > Hello > > I checked now by sslLabs.com: > https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org > > and score is A+ > > But I don't think disable TLS 1.0 is ok. > TLS 1.0 is dead and is even now banned in new installations according to the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported by *any* HTTPS site now. From owner-freebsd-security@FreeBSD.ORG Thu May 14 14:13:33 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7044C47B; Thu, 14 May 2015 14:13:33 +0000 (UTC) Received: from mail-ie0-x22e.google.com (mail-ie0-x22e.google.com [IPv6:2607:f8b0:4001:c03::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 434BE1FD6; Thu, 14 May 2015 14:13:33 +0000 (UTC) Received: by iebgx4 with SMTP id gx4so61149656ieb.0; Thu, 14 May 2015 07:13:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=LKp3CFSr4KjIBF2VoLqUGFtIRPMsvL9tHbHxxL6+vQ8=; b=V45hFNAldEhgOPxXWOBHdMW0mk0VaXU+hs+/TEVMhOga6uNz+lbFc6gSEPDBMBQW6h ZtQ6dXJus568JW7rVSs93Da6R6aWIHFxqL5GTyvV/EqwNU/IbpstZ/iXWsRtmcQLzNTG 4SS9rUrPJYAF7JEP0dntpoYcRKHKQxPSpDKptQMc7k1r+LctJ5pqnwXepVSZIUUrf11R TkjwLzZDKVumEX1hXwEgeVh9yPw2DrDA0mq3x+5fI9ItMhbyTiL/mhAKFiF6pMmkYK/m 14eMpnAHZKMjktAYHF0YS8xLP+RAbyVXS8csWWbgtAMpC8S/U0NmxfwDJq6bo32nml72 AcVg== MIME-Version: 1.0 X-Received: by 10.107.7.88 with SMTP id 85mr5638528ioh.42.1431612812583; Thu, 14 May 2015 07:13:32 -0700 (PDT) Received: by 10.79.4.148 with HTTP; Thu, 14 May 2015 07:13:32 -0700 (PDT) In-Reply-To: <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> Date: Thu, 14 May 2015 07:13:32 -0700 Message-ID: Subject: Re: Forums.FreeBSD.org - SSL Issue? From: jungle Boogie To: Mark Felder Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2015 14:13:33 -0000 On 14 May 2015 at 06:08, Mark Felder wrote: > > > On Thu, May 14, 2015, at 05:19, Adam Major wrote: >> Hello >> >> I checked now by sslLabs.com: >> https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org >> >> and score is A+ >> >> But I don't think disable TLS 1.0 is ok. >> > > TLS 1.0 is dead and is even now banned in new installations according to > the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported > by *any* HTTPS site now. Here, here! We ONLY have 1.0 enabled until the hardware vendor can upgrade their software. I'm looking to celebrate the day when we have 1.1 and 1.2 enabled. -- ------- inum: 883510009027723 sip: jungleboogie@sip2sip.info xmpp: jungle-boogie@jit.si From owner-freebsd-security@FreeBSD.ORG Thu May 14 15:20:54 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A1B16E8A for ; Thu, 14 May 2015 15:20:54 +0000 (UTC) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "patpro.net", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5CEF7183E for ; Thu, 14 May 2015 15:20:53 +0000 (UTC) Received: from [192.168.0.2] (boleskine.patpro.net [82.230.142.222]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by rack.patpro.net (Postfix) with ESMTPSA id F08CDF5C; Thu, 14 May 2015 17:20:44 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=patpro.net; s=201504-3edeac90; t=1431616845; bh=LGH7jMTH8VRfDBnZfAGCwymMsLiJC5xJEYF14cAIBFo=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=Sy0WbUggHZ45RRtgc2YH+Z8P3uh/ECGpi6p4i215lSJY+L2eTLZtUg0ZascO9h/zC AUgC9EFsZrHosL/mBHzoCmhpDBm1asKrHVxAVIDIxiwmTx5iyK4tGIUDB/IxCJvK/j gnlu0WWEzSPeQnsyZJpI6Hi9wnX0agJMQ/5fopiF+cKE09XCLlE8sDTSj+6Lfg92MB 09PFzn4n7hNJDBXr9dhU71hJEe4h1nQmPGISC69vN2Wz5Ypu1ycFlEQ9pv0ZjauZRu 9jX3doG9lMp7b5rWYWzGd9kiO+fl8+b4arh4RiBrZ1O0a0vH3DO5Q7l8mLuKF948uR 38RUZ2+0uyNB+x2xrLubEZeozz7BdmiVwEnIk2/4lv/zU1SvUna2HUn1oTYYzEzoin HPn0KB54m4Ck97ybQCdAlbObsIO6FkYqNUAndOAa8w8eBQCzHyJfKDLe/gwGrYUDXT WTkt7f7ar4+3Hk0oPH8ZeIeymgJCFNtgK0dvY3pVmpjBTKP3sypv1DPU8bRAZ+957D EQ6185V77K5pOnI5aw0kOqVSzK0a4BdY1z/Ti/h3RNzcxSqep1VKOoGRp6QyOAmPZh rsYSQdDnrpAuvSyUEWPd7eCiPAni0zdpDcZWC92sO4++iVrwSEAi4BJHu2MILW1WYM VNDaI0elTMU9NT77wV1EyOPY= Subject: Re: Forums.FreeBSD.org - SSL Issue? Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: text/plain; charset=us-ascii From: Patrick Proniewski In-Reply-To: Date: Thu, 14 May 2015 17:20:44 +0200 Cc: jungle Boogie Content-Transfer-Encoding: quoted-printable Message-Id: References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> To: Liste FreeBSD-security X-Mailer: Apple Mail (2.1085) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2015 15:20:54 -0000 On 14 mai 2015, at 16:13, jungle Boogie wrote: > On 14 May 2015 at 06:08, Mark Felder wrote: >>=20 >> TLS 1.0 is dead and is even now banned in new installations according = to >> the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be = supported >> by *any* HTTPS site now. >=20 >=20 > Here, here! We ONLY have 1.0 enabled until the hardware vendor can > upgrade their software. I'm looking to celebrate the day when we have > 1.1 and 1.2 enabled. That's always the problem with guys like you and me who live in the real = world. We can't cope with "what should be dead and no longer used". = Deprecated tomcat/Java/SSL/You-name-it software that you can't just = upgrade because it's used with hardware/software you can't get rid of. At work we are in the ridiculous state where we have to package old = browser + old Java into VMware ThinApp "bubbles" to access production = tools. Removing TSL 1.0 is not a good move. It's possible to provide SSL with = TLS 1.2, having protection against protocol downgrade, and still provide = TLS 1.1 and 1.0 for older browsers. patpro= From owner-freebsd-security@FreeBSD.ORG Thu May 14 15:31:58 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 89F3E3D6 for ; Thu, 14 May 2015 15:31:58 +0000 (UTC) Received: from thor.freshdata.pl (thor.freshdata.pl [148.251.122.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0542F1A84 for ; Thu, 14 May 2015 15:31:57 +0000 (UTC) Received: from dhcp46-187-149-223.eaw.com.pl ([46.187.149.223] helo=[192.168.2.100]) by thor.freshdata.pl with esmtpa (Exim 4.82_1-5b7a7c0-XX (FreeBSD)) (envelope-from ) id 1Ysv73-000G4o-NG for freebsd-security@freebsd.org; Thu, 14 May 2015 17:31:53 +0200 Message-ID: <5554C025.9090903@ivpro.net> Date: Thu, 14 May 2015 17:32:53 +0200 From: Adam Major User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> In-Reply-To: <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2015 15:31:58 -0000 Hello >> But I don't think disable TLS 1.0 is ok. >> > > TLS 1.0 is dead and is even now banned in new installations according to > the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported > by *any* HTTPS site now. Maybe is dead but is used in many old browser / software still used. In PCI DSS 3.1 merchants must remove SSL and TLS 1.0 to 30 June 2016. (new installations "in theory" should not be built on TLS 1.0). So we have 1 year and FreeBSD forum is not e-commerce site ;) Best Regards. From owner-freebsd-security@FreeBSD.ORG Thu May 14 15:54:17 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BC524CB9 for ; Thu, 14 May 2015 15:54:17 +0000 (UTC) Received: from fs.denninger.net (wsip-70-169-168-7.pn.at.cox.net [70.169.168.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "NewFS.denninger.net", Issuer "NewFS.denninger.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 745941D4C for ; Thu, 14 May 2015 15:54:16 +0000 (UTC) Received: from [192.168.1.40] (localhost [127.0.0.1]) by fs.denninger.net (8.14.9/8.14.8) with ESMTP id t4EFOhnJ038907 for ; Thu, 14 May 2015 10:24:43 -0500 (CDT) (envelope-from karl@denninger.net) Received: from [192.168.1.40] [192.168.1.40] (Via SSLv3 AES128-SHA) ; by Spamblock-sys (LOCAL/AUTH) Thu May 14 10:24:43 2015 Message-ID: <5554BE22.1000407@denninger.net> Date: Thu, 14 May 2015 10:24:18 -0500 From: Karl Denninger User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms070507000503070203090203" X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2015 15:54:17 -0000 This is a cryptographically signed message in MIME format. --------------ms070507000503070203090203 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 5/14/2015 10:20, Patrick Proniewski wrote: > On 14 mai 2015, at 16:13, jungle Boogie wrote: > >> On 14 May 2015 at 06:08, Mark Felder wrote: >>> TLS 1.0 is dead and is even now banned in new installations according= to >>> the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be support= ed >>> by *any* HTTPS site now. >> >> Here, here! We ONLY have 1.0 enabled until the hardware vendor can >> upgrade their software. I'm looking to celebrate the day when we have >> 1.1 and 1.2 enabled. > > That's always the problem with guys like you and me who live in the rea= l world. We can't cope with "what should be dead and no longer used". Dep= recated tomcat/Java/SSL/You-name-it software that you can't just upgrade = because it's used with hardware/software you can't get rid of. > At work we are in the ridiculous state where we have to package old bro= wser + old Java into VMware ThinApp "bubbles" to access production tools.= > > Removing TSL 1.0 is not a good move. It's possible to provide SSL with = TLS 1.2, having protection against protocol downgrade, and still provide = TLS 1.1 and 1.0 for older browsers. > > patpro > _______________________________________________ > I'd love to lock out TLS 1.0 but if you do that anyone still running anything that uses XP cannot connect. There ARE people out there still using that in the wild. Not a huge number, but a material number. On several relatively large systems I monitor the "in the wild" user count for Windows XP is still around 4% of all users to the sites. Same problem with RC4. I'd love to lock that out too, but see above -- that means 4% of the users can't connect (at all.) --=20 Karl Denninger karl@denninger.net /The Market Ticker/ --------------ms070507000503070203090203 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGXzCC BlswggRDoAMCAQICASkwDQYJKoZIhvcNAQELBQAwgZAxCzAJBgNVBAYTAlVTMRAwDgYDVQQI EwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM TEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG9w0BCQEWE0N1ZGEg U3lzdGVtcyBMTEMgQ0EwHhcNMTUwNDIxMDIyMTU5WhcNMjAwNDE5MDIyMTU5WjBaMQswCQYD VQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1zIExMQzEe MBwGA1UEAxMVS2FybCBEZW5uaW5nZXIgKE9DU1ApMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A MIICCgKCAgEAuYRY+EB2mGtZ3grlVO8TmnEvduVFA/IYXcCmNSOC1q+pTVjylsjcHKBcOPb9 TP1KLxdWP+Q1soSORGHlKw2/HcVzShDW5WPIKrvML+Ry0XvIvNBu9adTiCsA9nci4Cnf98XE hVpenER0qbJkBUOGT1rP4iAcfjet0lEgzPEnm+pAxv6fYSNp1WqIY9u0b1pkQiaWrt8hgNOc rJOiLbc8CeQ/DBP6rUiQjYNO9/aPNauEtHkNNfR9RgLSfGUdZuOCmJqnIla1HsrZhA5p69Bv /e832BKiNPaH5wF6btAiPpTr2sRhwQO8/IIxcRX1Vxd1yZbjYtJGw+9lwEcWRYAmoxkzKLPi S6Zo/6z5wgNpeK1H+zOioMoZIczgI8BlX1iHxqy/FAvm4PHPnC8s+BLnJLwr+jvMNHm82QwL J9hC5Ho8AnFU6TkCuq+P2V8/clJVqnBuvTUKhYMGSm4mUp+lAgR4L+lwIEqSeWVsxirIcE7Z OKkvI7k5x3WeE3+c6w74L6PfWVAd84xFlo9DKRdU9YbkFuFZPu21fi/LmE5brImB5P+jdqnK eWnVwRq+RBFLy4kehCzMXooitAwgP8l/JJa9VDiSyd/PAHaVGiat2vCdDh4b8cFL7SV6jPA4 k0MgGUA/6Et7wDmhZmCigggr9K6VQCx8jpKB3x1NlNNiaWECAwEAAaOB9DCB8TA3BggrBgEF BQcBAQQrMCkwJwYIKwYBBQUHMAGGG2h0dHA6Ly9jdWRhc3lzdGVtcy5uZXQ6ODg4ODAJBgNV HRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBeAwLAYJYIZIAYb4QgENBB8W HU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTFHJQt6cloXBdG1Pv1 o2YgH+7lWTAfBgNVHSMEGDAWgBQkcZudhX383d29sMqSlAOh+tNtNTAdBgNVHREEFjAUgRJr YXJsQGRlbm5pbmdlci5uZXQwDQYJKoZIhvcNAQELBQADggIBAE9/dxi2YqjCYYhiybp4GKcm 7tBVa/GLW+qcHPcoT4dqmqghlLz8+iUH+HCJjRQATVGyMEnvISOKFVHC6aZIG+Sg7J8bfS4+ fjKDi9smRH2VPPx3bV8+yFYRNroMGHaPHZB/Xctmmvc+PZ9O2W7rExgrODtxIOB3Zs6wkYf+ ty+9r1KmTHlV+rRHI6timH1uiyFE3cPi1taAEBxf0851cJV8k40PGF8G48ewnq8SY9sCf5cv liXbpdgU+I4ND5BuTjg63WS32zuhLd1VSuH3ZC/QbcncMX5W3oLXmcQP5/5uTiBJy74kdPtG MSZ9rXwZPwNxP/8PXMSR7ViaFvjUkf4bJlyENFa2PGxLk4EUzOuO7t3brjMlQW1fuInfG+ko 3tVxko20Hp0tKGPe/9cOxBVBZeZH/VgpZn3cLculGzZjmdh2fqAQ6kv9Z9AVOG1+dq0c1zt8 2zm+Oi1pikGXkfz5UJq60psY6zbX25BuEZkthO/qiS4pxjxb7gQkS0rTEHTy+qv0l3QVL0wa NAT74Zaj7l5DEW3qdQQ0dtVieyvptg9CxkfQJE3JyBMb0zBj9Qhc5/hbTfhSlHzZMEbUuIyx h9vxqFAmGzfB1/WfOKkiNHChkpPW8ZeH9yPeDBKvrgZ96dREHFoVkDk7Vpw5lSM+tFOfdyLg xxhb/RZVUDeUMYIE4zCCBN8CAQEwgZYwgZAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdGbG9y aWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBMTEMxHDAa BgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG9w0BCQEWE0N1ZGEgU3lzdGVt cyBMTEMgQ0ECASkwCQYFKw4DAhoFAKCCAiEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc BgkqhkiG9w0BCQUxDxcNMTUwNTE0MTUyNDE4WjAjBgkqhkiG9w0BCQQxFgQU8urPWZkRbmgT BWNAZTXQhr+RN+AwbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAEC MAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzAN BggqhkiG9w0DAgIBKDCBpwYJKwYBBAGCNxAEMYGZMIGWMIGQMQswCQYDVQQGEwJVUzEQMA4G A1UECBMHRmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3Rl bXMgTExDMRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhND dWRhIFN5c3RlbXMgTExDIENBAgEpMIGpBgsqhkiG9w0BCRACCzGBmaCBljCBkDELMAkGA1UE BhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExEjAQBgNVBAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQ Q3VkYSBTeXN0ZW1zIExMQzEcMBoGA1UEAxMTQ3VkYSBTeXN0ZW1zIExMQyBDQTEiMCAGCSqG SIb3DQEJARYTQ3VkYSBTeXN0ZW1zIExMQyBDQQIBKTANBgkqhkiG9w0BAQEFAASCAgCH6vvO gvffS1wWvfyUCO8bULNTxj37Nhuw2o5jWmkOwWYLb+JNhDCRb1yAEoJYGhFQT/vgiobBSUDX lacI3AspZdf9JPhN5/eQfEXHpzmB4yQD3yZm9bkVpOKVMxSBrOZUkNuYRIRg5x4tWZKFnWKr QTwA/speaESo5YjaJU8U2Ov8hBfvwAAfXykms5JjHvFXU0CVH9H5Y9BfLJzbWlawusSRVoJN d5JFhP5DKewiVWkYJdJPRTzheiqHxCmoi7AFsKwof+1O2FdKgkydWCSohXE33ozgJ1Sd81b/ 9Rh1Zly0o3xerkbXNhH4+S/IsdXo5YfpMYfHGHiCBlRhuOcqcXv1yQ1NytBrZ+a+rrYn0RZu d+QiQGjP4CNPIib0pcHp/dgoFEVo+9NG8Se8Wng7J+AwcOBvCGdMZfo+6D72XekcEumspDMf mFU761EYhEVi0fbdo/fEr7yRmZA0M1A2lwoV8QgxANMI7pdkmmzbFC9/tMosDbDnHJNT2TFy IdWBPJhK/+bxr4kA3fajzm8SfXjsaVQ810ZQaZadLhKkDOKik7xLfqN6KW+iHva2bnnGwoeo W+jhRHN56zAVkIpQG6rcKe9xthVTd06N0SVPFWMGesdKN903xMbvRTy7NhFhhldec/H0ycSs RanXe8UXeQm6U9I719S4TXX4Q08JRwAAAAAAAA== --------------ms070507000503070203090203-- From owner-freebsd-security@FreeBSD.ORG Thu May 14 17:23:13 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D8916F69 for ; Thu, 14 May 2015 17:23:13 +0000 (UTC) Received: from mail-in6.apple.com (mail-out6.apple.com [17.151.62.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A6527188F for ; Thu, 14 May 2015 17:23:13 +0000 (UTC) Received: from relay7.apple.com (relay7.apple.com [17.128.113.101]) by mail-in6.apple.com (Apple Secure Mail Relay) with SMTP id DD.CB.09025.00AD4555; Thu, 14 May 2015 10:23:12 -0700 (PDT) X-AuditID: 11973e15-f79fd6d000002341-d2-5554da00d9ac Received: from [17.149.228.53] (Unknown_Domain [17.149.228.53]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by relay7.apple.com (Apple SCV relay) with SMTP id 6B.7F.14260.8C9D4555; Thu, 14 May 2015 10:22:16 -0700 (PDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) Subject: Re: Forums.FreeBSD.org - SSL Issue? From: Charles Swiger In-Reply-To: <5554BE22.1000407@denninger.net> Date: Thu, 14 May 2015 10:23:12 -0700 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> <5554BE22.1000407@denninger.net> To: Karl Denninger X-Mailer: Apple Mail (2.2098) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrLLMWRmVeSWpSXmKPExsUi2FCYqstwKyTUYO1vBYueTU/YLO79uMLm wOSx/uA3Jo8Zn+azBDBFcdmkpOZklqUW6dslcGXMXrCKteAHR8WbTfvZGhib2LsYOTkkBEwk 5m/pYIawxSQu3FvP1sXIxSEksI9R4mHncTaYoiWzNrNAJKYySXR23gfrYBbQk9hx/RcriM0L ZD96+hhsqrCAjsSrmW2MXYwcHGwCahITJvKAhDkFdCVe7noD1soioCoxaUcvK8QYBYnJ879D jdSWWLbwNTPESCuJNQfWsYDYQgI3mSV+bC8CsUUE1CUWLVzJDDJeQkBW4utWOYgzv7JKNJ7J m8AoNAvJcbOQHDcLyYYFjMyrGIVyEzNzdDPzzPQSCwpyUvWS83M3MYLCd7qd6A7GM6usDjEK cDAq8fC+cAgJFWJNLCuuzD3EKM3BoiTOq3sZKCSQnliSmp2aWpBaFF9UmpNafIiRiYNTqoFR LK4wJU/q0hWt2o38DTvmnL6tLMIhoih+gkmSy+ud07MffWf0Vh1K6K05cGTu8/Lp3RnvPK8d FuJrd15wdo/cxMuJLGvfqXc9ufA2Tii+nCUi909Ye+szJ78LT9Pfrd5hKXuhz5hP2+bllfYn GksOSPku0IgK2Hc8ViRp1e+K//+rrMwmbPmnxFKckWioxVxUnAgAfLgTS0ACAAA= X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrILMWRmVeSWpSXmKPExsUiOPWJqe6JmyGhBl82mlj0bHrCZnHvxxU2 ByaP9Qe/MXnM+DSfJYApissmJTUnsyy1SN8ugStj9oJVrAU/OCrebNrP1sDYxN7FyMkhIWAi sWTWZhYIW0ziwr31bF2MXBxCAlOZJDo77zODJJgF9CR2XP/FCmLzAtmPnj4GaxYW0JF4NbON sYuRg4NNQE1iwkQekDCngK7Ey11vwFpZBFQlJu3oZYUYoyAxef53qJHaEssWvmaGGGklsebA OrAbhARuMkv82F4EYosIqEssWriSGWS8hICsxNetchMY+WchOWgWkoNmIZm6gJF5FaNAUWpO YqW5XmJBQU6qXnJ+7iZGUMA1FKbuYGxcbnWIUYCDUYmH94VDSKgQa2JZcWXuIUYJDmYlEV7x G0Ah3pTEyqrUovz4otKc1OJDjNIcLErivKVbvUOFBNITS1KzU1MLUotgskwcnFINjMuW3ld+ rf31yx5phr/+Cz9s+V7Od5rR7dSR6h9O9WFJGjZ91mt2rTuy7n1u17zjh/Pv6j76nNGaKK/d oCJsd/HhxO2zTv/auHe62mEntckK5/3FbDPOLDD6Ob+jWbHlFbdv6N0VOZ3PfQMk7oQvtbhV HVTEphe+obCk4GHPNC0n1p1zC6UNzyixFGckGmoxFxUnAgAz7uf1NAIAAA== X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2015 17:23:14 -0000 On May 14, 2015, at 8:24 AM, Karl Denninger wrote: > [ ... ] > I'd love to lock out TLS 1.0 but if you do that anyone still running > anything that uses XP cannot connect. True for WinXP + IE6: = https://www.ssllabs.com/ssltest/viewClient.html?name=3DIE&version=3D6&plat= form=3DXP However, large financial institutions like the major banks and large = e-commerce sites have disabled SSL v2 and SSL v3. Folks still on XP will need to = use IE8, Firefox, Chrome, etc if they want to talk to many secure websites. > There ARE people out there still using that in the wild. Not a huge > number, but a material number. On several relatively large systems I > monitor the "in the wild" user count for Windows XP is still around 4% > of all users to the sites. >=20 > Same problem with RC4. I'd love to lock that out too, but see above = -- > that means 4% of the users can't connect (at all.) WinXP + IE6 or IE8 should be the only common client which has RC4-SHA or RC4-MD5 as the best supported cipher. Everything else should support AES128-SHA or better. Regards, --=20 -Chuck From owner-freebsd-security@FreeBSD.ORG Thu May 14 19:11:57 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7C0B73FD for ; Thu, 14 May 2015 19:11:57 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CC4B162F for ; Thu, 14 May 2015 19:11:56 +0000 (UTC) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id E1C3C22B65 for ; Thu, 14 May 2015 15:11:54 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Thu, 14 May 2015 15:11:54 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=HVPzX1UHe+q/9hd 4w1I5EtGJq78=; b=W6cgNLt9q3l9X74nl/arE8+NF2eYbixB9tw31dEDVJ0RuW0 8FjFN1DU2gLfz69euKjCuT6oKQvpj3zRmP1n2+4GOPvCNtnBZi5PGmk2YexjEIg4 /PD1CFna0q3PjCUXg8ZV5GUsXSCr9jxKuRhAgl1V4YIOUyXjO3xgkTlLg1zA= Received: by web3.nyi.internal (Postfix, from userid 99) id AC3D71049EE; Thu, 14 May 2015 15:11:54 -0400 (EDT) Message-Id: <1431630714.2625524.268991529.7AC9C0B4@webmail.messagingengine.com> X-Sasl-Enc: UtXulc20ATw5w+JKedy5qqPoHstmQF1p+RaWQ4e3+xQC 1431630714 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e7ca9928 Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Thu, 14 May 2015 14:11:54 -0500 In-Reply-To: References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2015 19:11:57 -0000 On Thu, May 14, 2015, at 10:20, Patrick Proniewski wrote: > On 14 mai 2015, at 16:13, jungle Boogie wrote: > > > On 14 May 2015 at 06:08, Mark Felder wrote: > >> > >> TLS 1.0 is dead and is even now banned in new installations according to > >> the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported > >> by *any* HTTPS site now. > > > > > > Here, here! We ONLY have 1.0 enabled until the hardware vendor can > > upgrade their software. I'm looking to celebrate the day when we have > > 1.1 and 1.2 enabled. > > > That's always the problem with guys like you and me who live in the real > world. We can't cope with "what should be dead and no longer used". > Deprecated tomcat/Java/SSL/You-name-it software that you can't just > upgrade because it's used with hardware/software you can't get rid of. > At work we are in the ridiculous state where we have to package old > browser + old Java into VMware ThinApp "bubbles" to access production > tools. > > Removing TSL 1.0 is not a good move. It's possible to provide SSL with > TLS 1.2, having protection against protocol downgrade, and still provide > TLS 1.1 and 1.0 for older browsers. > I'm in the same boat right now fighting with a vendor who can't get their software to work beyond Java 1.7u45 (Java 7 is EoL ...) You can and will get rid of it when the cost of maintaining that awful, insecure software stack is more than throwing it away and cutting your losses. There is a righteous push right now for security and for new development practices: release early, release often, keep your software tested and working against modern software and libraries. This creates work for corporations and increases the cost of maintaining their cash cows. It's going to cut into their bottom lines. They're going to get angry. But their software is going to be better for it. Right now it's too easy to hack and compromise because the entire internet is lazy. Bad security practices have completely poisoned the well and it's time to forcibly drain it and start anew. It's going to hurt, and it's not going to be fun for grandma because someone needs to pick up the slack and make keeping up to date and secure computing a thoughtless task. For example, Windows 10 looks to eventually be a rolling release; strategies like that will help keep end-users up to date and secure. Personally I agree with phk that we don't need https *everywhere*. However, if you're going to implement crypto you need to do it right. From owner-freebsd-security@FreeBSD.ORG Fri May 15 08:08:00 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A1E23763 for ; Fri, 15 May 2015 08:08:00 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1AB05171B for ; Fri, 15 May 2015 08:07:59 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t4F87swm007162; Fri, 15 May 2015 18:07:55 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 15 May 2015 18:07:54 +1000 (EST) From: Ian Smith To: Adam Major cc: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? In-Reply-To: <5554C025.9090903@ivpro.net> Message-ID: <20150515173820.M69409@sola.nimnet.asn.au> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> <5554C025.9090903@ivpro.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 May 2015 08:08:00 -0000 On Thu, 14 May 2015 17:32:53 +0200, Adam Major wrote: > Hello > > >> But I don't think disable TLS 1.0 is ok. > >> > > > > TLS 1.0 is dead and is even now banned in new installations according to > > the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported > > by *any* HTTPS site now. > > Maybe is dead but is used in many old browser / software still used. > > In PCI DSS 3.1 merchants must remove SSL and TLS 1.0 to 30 June 2016. > (new installations "in theory" should not be built on TLS 1.0). > > So we have 1 year and FreeBSD forum is not e-commerce site ;) People seem determined to make sure freebsd forums are one of the first sites to ban TLS 1.0, as some sort of best-practice example. I admit my knowledge of TLS issues is scant. I'd like to know whether allowing TLS 1.0 - with fallback from later levels denied, as it already is - endangers the server, or only the client? If there's a clearly stated and immediate danger to the forum server, I can accept that, but I'd have thought https://www and svnweb would be more at such peril? Will there be any notice before they're denied TLS 1.0 access also? If it's just for making the sort of point that Mark is advocating, to force people to join this 'rolling automatic update' model so beloved of Microsoft and their captive hardware vendors, then I think doing that, without any sort of prior notice, is rather less than I've come to expect from the FreeBSD project over 17 years. But I'm a grandpa too; guess I have old-fashioned expectations :) cheers, Ian From owner-freebsd-security@FreeBSD.ORG Fri May 15 12:51:43 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 96B9B5D4 for ; Fri, 15 May 2015 12:51:43 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6805717CB for ; Fri, 15 May 2015 12:51:43 +0000 (UTC) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 4093120AF2 for ; Fri, 15 May 2015 08:51:34 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Fri, 15 May 2015 08:51:34 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=tKvsWNdwF2RuRM+ TGHE2m7G34GQ=; b=byljsrmYqXpRZz5vT/OqdDgy4uIBbY+lidFqzxVki0zDKmF 71PVOnRH3+auRNn2lNhh6jjnLLQvkRsT7HJBiv9IEBGnfDkywqcgotLNJ0FW6PYy tHipBZByMPOiY8zNVA9t+MhDTHZgs1xuGd3d5pTg28/e7Rui7MBR475dDe5k= Received: by web3.nyi.internal (Postfix, from userid 99) id 18BB7105F4E; Fri, 15 May 2015 08:51:34 -0400 (EDT) Message-Id: <1431694294.3518862.269597633.213CD919@webmail.messagingengine.com> X-Sasl-Enc: Ca4jJcNlE669j+DCvFoQq8IMjwJDOwCELMagpesVSIN9 1431694294 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e7ca9928 Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Fri, 15 May 2015 07:51:34 -0500 In-Reply-To: <20150515173820.M69409@sola.nimnet.asn.au> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> <5554C025.9090903@ivpro.net> <20150515173820.M69409@sola.nimnet.asn.au> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 May 2015 12:51:43 -0000 On Fri, May 15, 2015, at 03:07, Ian Smith wrote: > On Thu, 14 May 2015 17:32:53 +0200, Adam Major wrote: > > Hello > > > > >> But I don't think disable TLS 1.0 is ok. > > >> > > > > > > TLS 1.0 is dead and is even now banned in new installations according to > > > the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported > > > by *any* HTTPS site now. > > > > Maybe is dead but is used in many old browser / software still used. > > > > In PCI DSS 3.1 merchants must remove SSL and TLS 1.0 to 30 June 2016. > > (new installations "in theory" should not be built on TLS 1.0). > > > > So we have 1 year and FreeBSD forum is not e-commerce site ;) > > People seem determined to make sure freebsd forums are one of the first > sites to ban TLS 1.0, as some sort of best-practice example. > > I admit my knowledge of TLS issues is scant. I'd like to know whether > allowing TLS 1.0 - with fallback from later levels denied, as it already > is - endangers the server, or only the client? If there's a clearly > stated and immediate danger to the forum server, I can accept that, but > I'd have thought https://www and svnweb would be more at such peril? > Will there be any notice before they're denied TLS 1.0 access also? > The danger is decryption. Your username/password could be stolen if someone captures your traffic after successfully initiating a downgrade attack. You can't login to www.freebsd.org or svnweb. The most they can do is see what you're browsing, which isn't private anyway. > If it's just for making the sort of point that Mark is advocating, to > force people to join this 'rolling automatic update' model so beloved of > Microsoft and their captive hardware vendors, then I think doing that, > without any sort of prior notice, is rather less than I've come to > expect from the FreeBSD project over 17 years. > > But I'm a grandpa too; guess I have old-fashioned expectations :) > Microsoft has nothing to do with this. They're setting a good example. OSX is sort-of on that train too. FreeBSD has always been ahead of the curve with the ports tree being a rolling-release model. We need the Linux distros to get their heads on straight now, too. Just a reminder: I don't speak for the project in these matters. I'm just telling you what best current practices are. I have no idea who made that decision for the forums, or if it's even worth having the forums on https anyway. If it was up to me I probably wouldn't even put https on the forums even though Google will penalize it in search results. (Sure, you have a user account there... but it doesn't really do anything... you're not using the same credentials everywhere are you?) Actually, that might be the reason -- Google search results. Perhaps Google is also logging what protocols/ciphers your HTTPS has and is using that in search rankings. From owner-freebsd-security@FreeBSD.ORG Fri May 15 13:41:14 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 194CDAC for ; Fri, 15 May 2015 13:41:14 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E048D1D71 for ; Fri, 15 May 2015 13:41:13 +0000 (UTC) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id F2F7220996 for ; Fri, 15 May 2015 09:41:12 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute6.internal (MEProxy); Fri, 15 May 2015 09:41:12 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=YHiseUjW3Fw9cNi gO67l6Z5pb9k=; b=obs6kIkHNILMfOTk4VaDW58lvx3t9lxleaffwzAjoKS7TLB lUgiwNC7JJXByrVvCLr5gDNfEKf8OZ3fJSqotu+9/wWAo56zs2hLHo08Eq+81cjq pyViZPv5TNWHmi7sPgRdOIcZfcvrKSmSYPgkC0SFHlSQgpEt4UfqJQeP9Dk8= Received: by web3.nyi.internal (Postfix, from userid 99) id C4AE610649B; Fri, 15 May 2015 09:41:12 -0400 (EDT) Message-Id: <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> X-Sasl-Enc: 0d0TwWe7GvH06G26NDc+e0z7DnG89Vq7EOPxbz2hLn82 1431697272 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e7ca9928 Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Fri, 15 May 2015 08:41:12 -0500 In-Reply-To: <5554879D.7060601@obluda.cz> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 May 2015 13:41:14 -0000 On Thu, May 14, 2015, at 06:31, Dan Lukes wrote: > Patrick Proniewski wrote: > >> "Data Transfer Interrupted > >> The connection to forums.freebsd.org has terminated unexpectedly. Some > >> data may have been transferred." > > > > looks like your browser/OS does not support TLS 1.2. > > I'm confused by FreeBSD policy, a lot. > > Base OpenSSL in still supported releases is too old version and doesn't > support TLS 1.2 as well. > > Either TLS 1.0 is so insecure and should not be used, or is secure > enough for FreeBSD. > When the FreeBSD 8.0 (2009) and 9.0 (2012) releases were cut we didn't have these vulnerabilities or problems. In fact, TLS 1.2 existed as a protocol (2008) but OpenSSL didn't even implement it yet (not until 2010)! Thankfully FreeBSD 8 is EoL on June 30, 2015, but we still have to live with FreeBSD 9.3 until Dec 31 2016. That's going to be painful, but we shouldn't kill it off sooner than we have to as a courtesy to our users. FreeBSD needs to change, too. That is not being ignored. In the future FreeBSD's base libraries like OpenSSL hopefully will be private: only the base system knows they exist; no other software will see them. This will mean that every port/package you install requiring OpenSSL will *always* use OpenSSL from ports/packages; no conflict is possible. This also solves the problem of stale software in the base system and allows FreeBSD to do major upgrades of this software in point releases to keep the base system fresh. Last I knew this approach was still being discussed, but it will be a fantastic improvement to the FreeBSD OS model when it happens. From owner-freebsd-security@FreeBSD.ORG Fri May 15 15:22:15 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7038D636 for ; Fri, 15 May 2015 15:22:15 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5DF6B1A1B for ; Fri, 15 May 2015 15:22:14 +0000 (UTC) Date: Fri, 15 May 2015 08:22:07 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? In-Reply-To: <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 May 2015 15:22:15 -0000 Mark Felder wrote: > In the future FreeBSD's base libraries like OpenSSL hopefully will be > private: only the base system knows they exist; no other software will > see them. This will mean that every port/package you install requiring > OpenSSL will *always* use OpenSSL from ports/packages; no conflict is > possible. That's one way of approaching it but there are drawbacks to this method. Maintaining two sets of binaries and libraries that must be kept separate (using what kind of ACLs?) adds complexity. Complexity is the enemy of security. Another option is a second openssl port, one that overwrites base and guarantees compatibility with RELEASE. Then we could at least have all versions of openssl in vuln.xml (not that that's been a reliable indicator of security of late). Roger Marquis From owner-freebsd-security@FreeBSD.ORG Fri May 15 16:02:48 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 040FCB34 for ; Fri, 15 May 2015 16:02:48 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C90061EEA for ; Fri, 15 May 2015 16:02:47 +0000 (UTC) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 825B3208E3 for ; Fri, 15 May 2015 12:02:46 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute4.internal (MEProxy); Fri, 15 May 2015 12:02:46 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=EPd6/1KXgL2PPQV TqpCyLz5ZH0k=; b=HIRupS9hX1O1PRgcWQUyrsWbEMQsx4o2xPn2lFlcCEO/QoT wCQ5sfpUokBgoYPCO6s7zAi4ci+TjBkPZeBYXhJnAOVAjd4EkvGzv4vsJ3XwZoYX 2HoQwJlL/yQA62XkqFMy55GgZc7ajIPt+n2gsL908L06GgNje5QVnYWuZ8GE= Received: by web3.nyi.internal (Postfix, from userid 99) id 637E11071B8; Fri, 15 May 2015 12:02:46 -0400 (EDT) Message-Id: <1431705766.3563083.269738569.0FA82C3E@webmail.messagingengine.com> X-Sasl-Enc: ecYoY6eY2XnoLyxfRbFiXZpNyMroMgRwMDjrxwBsi30T 1431705766 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e7ca9928 Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Fri, 15 May 2015 11:02:46 -0500 In-Reply-To: <20150515152220.C0CC7689@hub.freebsd.org> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <20150515152220.C0CC7689@hub.freebsd.org> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 May 2015 16:02:48 -0000 On Fri, May 15, 2015, at 10:22, Roger Marquis wrote: > Mark Felder wrote: > > In the future FreeBSD's base libraries like OpenSSL hopefully will be > > private: only the base system knows they exist; no other software will > > see them. This will mean that every port/package you install requiring > > OpenSSL will *always* use OpenSSL from ports/packages; no conflict is > > possible. > > That's one way of approaching it but there are drawbacks to this method. > Maintaining two sets of binaries and libraries that must be kept separate > (using what kind of ACLs?) adds complexity. Complexity is the enemy of > security. > It should be less complex than you're thinking. It's literally just libraries outside the linker search path. > Another option is a second openssl port, one that overwrites base and > guarantees compatibility with RELEASE. Then we could at least have all > versions of openssl in vuln.xml (not that that's been a reliable > indicator of security of late). > This will never work. You can't guarantee compatibility with RELEASE and upgrade it too. From owner-freebsd-security@FreeBSD.ORG Fri May 15 17:33:00 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0C245DBD for ; Fri, 15 May 2015 17:33:00 +0000 (UTC) Received: from slim.berklix.org (slim.berklix.org [94.185.90.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 95E6B1AA9 for ; Fri, 15 May 2015 17:32:58 +0000 (UTC) Received: from mart.js.berklix.net (p5DCBD461.dip0.t-ipconnect.de [93.203.212.97]) (authenticated bits=128) by slim.berklix.org (8.14.5/8.14.5) with ESMTP id t4FHXcce006348; Fri, 15 May 2015 19:33:38 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id t4FHWfuk052330; Fri, 15 May 2015 19:32:41 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id t4FHWNpJ031406; Fri, 15 May 2015 19:32:35 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201505151732.t4FHWNpJ031406@fire.js.berklix.net> To: FreeBSD-security Subject: Re: Forums.FreeBSD.org - SSL Issue? From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultants, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Thu, 14 May 2015 17:20:44 +0200." Date: Fri, 15 May 2015 19:32:23 +0200 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 May 2015 17:33:00 -0000 Patrick Proniewski wrote: > That's always the problem with guys like you and me who live in the real world. We can't cope with "what should be dead and no longer used". Deprecated tomcat/Java/SSL/You-name-it software that you can't just upgrade because it's used with hardware/software you can't get rid of. FreeBSD needs more mature code management to restrict idealists, eg: - src/ bsd tar : bad code rushed in too soon to replace Gnu (I filed fixes). - ports/mail/majordomo : Deleted as mature! An immature reason. - ports/print/acroread9 deleted for security (so use chroot) & as Adobe support ceased (so use compat/). Government would fine me lots of money & close down the company if I don't continue use of it. - Those last two I will need to maintain outside FreeBSD.org. Cheers, Julian -- Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com Indent previous with "> ". Reply Below as a play script. Send plain text, Not quoted-printable, HTML, or base64. From owner-freebsd-security@FreeBSD.ORG Fri May 15 18:34:34 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 969DC9C8 for ; Fri, 15 May 2015 18:34:34 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 8570911F6 for ; Fri, 15 May 2015 18:34:34 +0000 (UTC) Date: Fri, 15 May 2015 11:34:33 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? In-Reply-To: <1431705766.3563083.269738569.0FA82C3E@webmail.messagingengine.com> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <20150515152220.C0CC7689@hub.freebsd.org> <1431705766.3563083.269738569.0FA82C3E@webmail.messagingengine.com> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 May 2015 18:34:34 -0000 Mark Felder wrote: >> Another option is a second openssl port, one that overwrites base and >> guarantees compatibility with RELEASE. Then we could at least have all >> versions of openssl in vuln.xml (not that that's been a reliable >> indicator of security of late). >> > > This will never work. You can't guarantee compatibility with RELEASE and > upgrade it too. How do you figure? RedHat does exactly that with every backport, and they do it for the life of a release. Roger From owner-freebsd-security@FreeBSD.ORG Fri May 15 21:53:35 2015 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C10D4302 for ; Fri, 15 May 2015 21:53:35 +0000 (UTC) Received: from gw.catspoiler.org (unknown [IPv6:2001:4978:f:678::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 57A43190C for ; Fri, 15 May 2015 21:53:35 +0000 (UTC) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.13.3/8.13.3) with ESMTP id t4FLrQGj021958; Fri, 15 May 2015 14:53:30 -0700 (PDT) (envelope-from truckman@FreeBSD.org) Message-Id: <201505152153.t4FLrQGj021958@gw.catspoiler.org> Date: Fri, 15 May 2015 14:53:26 -0700 (PDT) From: Don Lewis Subject: Re: Forums.FreeBSD.org - SSL Issue? To: marquis@roble.com cc: freebsd-security@FreeBSD.org In-Reply-To: <20150515183437.A2380A09@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 May 2015 21:53:35 -0000 On 15 May, Roger Marquis wrote: > Mark Felder wrote: >>> Another option is a second openssl port, one that overwrites base and >>> guarantees compatibility with RELEASE. Then we could at least have all >>> versions of openssl in vuln.xml (not that that's been a reliable >>> indicator of security of late). >>> >> >> This will never work. You can't guarantee compatibility with RELEASE and >> upgrade it too. > > How do you figure? RedHat does exactly that with every backport, and > they do it for the life of a release. They have paying customers to cover the cost of the salaries of the Red Hat employees who backport security fixes to whatever version of software that they included in the initial release if it has been abandoned by its upstream source. Don't expect any new features, though. According to , RHEL 4 is supported through March 2017 and RHEL 5 is supported through November 2020, though both are now in the extended lifecycle support phase, which is an "add on" and probably costs an extra leg. RHEL 4 uses openssl 0.9.7 and RHEL 5 uses openssl 0.9.8. According to , upstream support for the former ended in February 2007 and the latter will end at the end of 2015. Neither support TLS v1.1 or v1.2. If you need that and you are stuck on one of these versions of RHEL, you are on your own and have to wedge a newer version into the system yourself by downloading the source, running configure and make, and installing under /usr/local. Then you need to build whatever needs the new openssl yourself, making sure that it picks up the right version. No shiny RPMs for you! I used to run CentOS 4 (RHEL 4 clone) at a previous job. It came with an ancient version of gcc that wasn't capable of compling some other piece of software that I needed. I needed to wedge in a recent version of gcc, binutils, and a bunch of other dependencies before I could even get around to building the software package that actually needed. From owner-freebsd-security@FreeBSD.ORG Sat May 16 06:38:42 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F31F0620 for ; Sat, 16 May 2015 06:38:42 +0000 (UTC) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7F5111EC2 for ; Sat, 16 May 2015 06:38:41 +0000 (UTC) X-SubmittedBy: id 100000045929 subject /C=CZ/O=Univerzita+20Karlova+20v+20Praze/CN=Dan+20Lukes/unstructuredName=100000045929 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20Personal+20CA+202 auth type TLS.MFF Received: from [100.65.40.107] (ip-37-188-136-85.eurotel.cz [37.188.136.85]) (authenticated) by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id t4G6cQrf005510 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Sat, 16 May 2015 08:38:37 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <5556E5DC.7090809@obluda.cz> Date: Sat, 16 May 2015 08:38:20 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1 MIME-Version: 1.0 To: freebsd-security Subject: Re: Forums.FreeBSD.org - SSL Issue? References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> In-Reply-To: <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 May 2015 06:38:43 -0000 Mark Felder wrote: >> Base OpenSSL in still supported releases is too old version and doesn't >> support TLS 1.2 as well. >> >> Either TLS 1.0 is so insecure and should not be used, or is secure >> enough for FreeBSD. > When the FreeBSD 8.0 (2009) and 9.0 (2012) releases were cut we didn't > have these vulnerabilities or problems. All security patches are released because of something discovered after release. So it is nothing new nor special. But it's not the matter of my comment. As far as I know, there has been no discussion on FreeBSD Security related to fact that FreeBSD 9 will not receive security patches for particular known security issue. Nor even announcement, if it has been considered no topic for discussion here. So I'm confused (as claimed in previous comment). Other the issue is not so severe, then I don't understand why TLS 1.0 needs to be disabled on forums. Or it is so severe so I don't understand why there is still no Security Advisory dedicated to it. Well, there may be no solution known - but even in such case the issue should be announced. Dan From owner-freebsd-security@FreeBSD.ORG Sat May 16 14:20:04 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 81210A2E for ; Sat, 16 May 2015 14:20:04 +0000 (UTC) Received: from mail-la0-x232.google.com (mail-la0-x232.google.com [IPv6:2a00:1450:4010:c03::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 055ED1BC7 for ; Sat, 16 May 2015 14:20:04 +0000 (UTC) Received: by laat2 with SMTP id t2so161092899laa.1 for ; Sat, 16 May 2015 07:20:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=qQ1KCBRjnwUXhvhM44NDe11JQtHJ28zBOO8gbVQDUPQ=; b=lq/gvNah4noSWvMViKdXSLW+Qjasgf1ZV5NtT6VTLSQcdAbBWVQ4XH+8g2xNtgfpO/ 8FIN30Cya9urmemXZJDWnj8MuEToT2qKOAgZK7GtbvNZkS0hDDE1whgVBuuuBHsZcZTq FAN7Sg6emrduFdLY8a1yaanbTqk1pv4CPkSc+kthek7uquDfvx1DAy9G1nRbeOA6x+wi zpMwkMbT1vRKdlnSREW1FhC5GfALyAx/aUZ8SVNeLwdgzysd5H9ATWzgFKwlag8FfK64 BHPJQsJyEqTmRfbtJxoDzhc04C74jpydFW8h5Qh4e+nQFtJVAIQeA0JxhVzW54Kjs8pL jMUQ== MIME-Version: 1.0 X-Received: by 10.112.17.8 with SMTP id k8mr11031876lbd.28.1431786001886; Sat, 16 May 2015 07:20:01 -0700 (PDT) Received: by 10.152.137.193 with HTTP; Sat, 16 May 2015 07:20:01 -0700 (PDT) In-Reply-To: <20150515183437.E09DAA33@hub.freebsd.org> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <20150515152220.C0CC7689@hub.freebsd.org> <1431705766.3563083.269738569.0FA82C3E@webmail.messagingengine.com> <20150515183437.E09DAA33@hub.freebsd.org> Date: Sat, 16 May 2015 17:20:01 +0300 Message-ID: Subject: Re: Forums.FreeBSD.org - SSL Issue? From: Kimmo Paasiala To: Roger Marquis Cc: freebsd-security Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 May 2015 14:20:04 -0000 On Fri, May 15, 2015 at 9:34 PM, Roger Marquis wrote: > Mark Felder wrote: >>> >>> Another option is a second openssl port, one that overwrites base and >>> guarantees compatibility with RELEASE. Then we could at least have all >>> versions of openssl in vuln.xml (not that that's been a reliable >>> indicator of security of late). >>> >> >> This will never work. You can't guarantee compatibility with RELEASE and >> upgrade it too. > > > How do you figure? RedHat does exactly that with every backport, and > they do it for the life of a release. > > Roger > Redhat makes no promise of binary compatibility for locally compiled software. They can update OpenSSL as they wish from version 1.0.1 to 1.0.2, recompile all affected packages (all of Redhat "userland" is covered by .rpm packages) and push them to the users and advise users of locally compiled software to recompile what they have. This is unacceptable in FreeBSD that makes a hard promise that the ABI will remain compatible troughout the whole lifetime of the same major version line. -Kimmo