From owner-freebsd-security@freebsd.org Mon Jul 13 17:53:53 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 931EB99B66E for ; Mon, 13 Jul 2015 17:53:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7F3EDF99 for ; Mon, 13 Jul 2015 17:53:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t6DHrrdu034111 for ; Mon, 13 Jul 2015 17:53:53 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 201446] Server name indication (sni) is not supported in base OpenSSL Date: Mon, 13 Jul 2015 17:53:53 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: standards X-Bugzilla-Version: 10.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: delphij@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: apache@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status assigned_to resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 13 Jul 2015 18:32:26 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 17:53:53 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201446 Xin LI changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Closed |Open Assignee|delphij@FreeBSD.org |apache@FreeBSD.org Resolution|Overcome By Events |--- --- Comment #8 from Xin LI --- Assigning to Apache maintainers for further investigation. FWIW my nginx SNI worked just fine on 10.1-RELEASE with OpenSSL 1.0.1l. -- You are receiving this mail because: You are on the CC list for the bug. From owner-freebsd-security@freebsd.org Mon Jul 13 18:33:14 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6232B99BF36 for ; Mon, 13 Jul 2015 18:33:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4EC68991 for ; Mon, 13 Jul 2015 18:33:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t6DIXEVY059117 for ; Mon, 13 Jul 2015 18:33:14 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 201446] Server name indication (sni) is not supported in base OpenSSL Date: Mon, 13 Jul 2015 18:33:14 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: standards X-Bugzilla-Version: 10.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: feld@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: apache@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 13 Jul 2015 18:41:15 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 18:33:14 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201446 Mark Felder changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |feld@FreeBSD.org --- Comment #9 from Mark Felder --- My site is also using SNI and 10.1-RELEASE, but with nginx -- You are receiving this mail because: You are on the CC list for the bug. From owner-freebsd-security@freebsd.org Fri Jul 17 19:18:42 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A49899A4F08 for ; Fri, 17 Jul 2015 19:18:42 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6A3B61893 for ; Fri, 17 Jul 2015 19:18:42 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.9/8.14.9) with ESMTP id t6HJIfLP093776; Fri, 17 Jul 2015 15:18:41 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <55A95526.3070509@sentex.net> Date: Fri, 17 Jul 2015 15:19:02 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: "freebsd-security@freebsd.org" Subject: OpenSSH max auth tries issue Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2015 19:18:42 -0000 Not sure if others have seen this yet ------------------ https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/ "OpenSSH has a default value of six authentication tries before it will close the connection (the ssh client allows only three password entries per default). With this vulnerability an attacker is able to request as many password prompts limited by the “login graced time” setting, that is set to two minutes by default." -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@freebsd.org Sat Jul 18 23:10:18 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE5E49A4BBE for ; Sat, 18 Jul 2015 23:10:18 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8490F10E4 for ; Sat, 18 Jul 2015 23:10:18 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 920AE204C8 for ; Sat, 18 Jul 2015 19:10:17 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute1.internal (MEProxy); Sat, 18 Jul 2015 19:10:17 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=DytQP69kAj/kZFm BFEwojM2650M=; b=Gh/EURJc1Ar0WtiXriseajIMr/W8OH3UlJH1sTna2zCcVxA OIkd2cNGdkD6hmjovmAhDwRxWVko4U2oMbsIeOv2IqJp8VnKzj0hABrDUF/vmy6/ HGMubQO6/wOJQh/+a1mpzd8v+1U3z7IRKdxGGy/gNF1tbd57UdwnpMCz/3/M= Received: by web3.nyi.internal (Postfix, from userid 99) id 671FF1031EB; Sat, 18 Jul 2015 19:10:17 -0400 (EDT) Message-Id: <1437261017.3368395.327186961.64104619@webmail.messagingengine.com> X-Sasl-Enc: 20JZeBDu/c+0u+GSGuoHsjR9E78fTUXIBCBdzd7lcndM 1437261017 From: Mark Felder To: Mike Tancsa , freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" X-Mailer: MessagingEngine.com Webmail Interface - ajax-63a5d8c6 Subject: Re: OpenSSH max auth tries issue Date: Sat, 18 Jul 2015 18:10:17 -0500 In-Reply-To: <55A95526.3070509@sentex.net> References: <55A95526.3070509@sentex.net> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Jul 2015 23:10:18 -0000 On Fri, Jul 17, 2015, at 14:19, Mike Tancsa wrote: > Not sure if others have seen this yet >=20 > ------------------ >=20 >=20 > https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-au= thentication-brute-force-vulnerability-maxauthtries-bypass/ >=20 > "OpenSSH has a default value of six authentication tries before it will > close the connection (the ssh client allows only three password entries > per default). >=20 > With this vulnerability an attacker is able to request as many password > prompts limited by the =E2=80=9Clogin graced time=E2=80=9D setting, that = is set to two > minutes by default." >=20 >=20 Does it produce multiple entries in the server logs? I'm curious if sshguard etc would detect this. If I understand what's going on, this might appear as if it's a single "session" and be able to bypass pf overload rules. I'll have to play around with it and see what it does.