Date: Mon, 20 Oct 2014 14:28:13 +0200 From: "Ronald Klop" <ronald-lists@klop.ws> To: "tethys ocean" <tethys.ocean@gmail.com> Cc: "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org> Subject: Re: Fwd: FreeBSD Security Advisory FreeBSD-SA-14:18.openssl Message-ID: <op.xn03lbxhkndu52@ronaldradial.radialsg.local> In-Reply-To: <CAOgxTUhK0wD1kpQywo2i1D%2BO2pa=QEDb6M8Vb8SX6CGrnur7pQ@mail.gmail.com> References: <201409091104.s89B4uhi067535@freefall.freebsd.org> <CAOgxTUh7p7Du9rngwnsk%2BGXq1NN9UqjBPoOrK=OH%2Bmah1sDyGQ@mail.gmail.com> <op.xn0050wxkndu52@ronaldradial.radialsg.local> <CAOgxTUhK0wD1kpQywo2i1D%2BO2pa=QEDb6M8Vb8SX6CGrnur7pQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Can you do 'ls /usr/local/share/certs/ca-root-nss.crt'? Fetch does not complain if the cert-file does not exist (see below), but continues with no certificate chain. Using the -v option to fetch might also help in finding the cause. fetch -v --ca-cert=/yeahyeahyeah http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch looking up security.FreeBSD.org connecting to security.FreeBSD.org:80 requesting http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch 301 redirect to https://www.FreeBSD.org/security/patches/SA-14:18/openssl-10.0.patch looking up www.FreeBSD.org connecting to www.FreeBSD.org:443 SSL options: 81004bff Peer verification enabled Using CA cert file: /yeahyeahyeah Certificate verification failed for /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 34380945272:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1180: fetch: http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch: Authentication error As a last resort (but 'unsafe') you can add the option '--no-verify-peer' to fetch. Ronald. On Mon, 20 Oct 2014 14:06:49 +0200, tethys ocean <tethys.ocean@gmail.com> wrote: > Again same err. hust below > > fetch --ca-cert=/usr/local/share/certs/ca-root-nss.crt > http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch > Certificate verification failed for /C=US/ST=UT/L=Salt Lake City/O=The > USERTRUST Network/OU=http://www.usertrust.com/>CN=UTN-USERFirst-Hardware > 675119676:error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed:/usr/src/secure/lib/libssl/../../../>crypto/openssl/ssl/s3_clnt.c:1180: > fetch: http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch: > Authentication error > > > > On Mon, Oct 20, 2014 at 2:35 PM, Ronald Klop <ronald-lists@klop.ws> > wrote: >> Install port security/ca_root_nss and use: >> >> fetch --ca-cert=/usr/local/share/certs/ca-root-nss.crt >> http://security.FreeBSD.org/patches/SA-14:18/>>openssl-10.0.patch >> >> >> >> That works. And still checks validity of the https server as long as >> you trust the ca_root_nss port. >> >> >> >> But I think it is kind of lame the default certificates from base don't >> work out of the box. >> >> >> >> Ronald. >> >> >> >> >> >> >> >> >> On Mon, 20 Oct 2014 12:22:32 +0200, tethys ocean >> <tethys.ocean@gmail.com> wrote: >> >> >> >>> >>> I am using FreeBSD 10.0-STABLE on my servers. But according to this >>> mail >>> >>> I tried >>> >>> >>> >>> [FreeBSD 10.0] >>> >>> # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch >>> >>> # fetch >>> http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch.asc >>> >>> # gpg --verify openssl-10.0.patch.asc >>> >>> >>> >>> But my server say this below: >>> >>> >>> >>> fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch >>> >>> Certificate verification failed for /C=US/ST=UT/L=Salt Lake City/O=The >>> >>> USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware >>> >>> 675119676:error:14090086:SSL >>> >>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >>> >>> failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1180: >>> >>> fetch: http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch: >>> >>> Authentication error >>> >>> >>> >>> What should I do ? >>> >>> >>> >>> thanx >>> >>> >>> >>> >>> >>> >>> >>> ---------- Forwarded message ---------- >>> >>> From: FreeBSD Security Advisories <security-advisories@freebsd.org> >>> >>> Date: Tue, Sep 9, 2014 at 2:04 PM >>> >>> Subject: FreeBSD Security Advisory FreeBSD-SA-14:18.openssl >>> >>> To: FreeBSD Security Advisories <security-advisories@freebsd.org> >>> >>> >>> >>> >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> >>> Hash: SHA512 >>> >>> >>> >>> ============================================================================= >>> >>> FreeBSD-SA-14:18.openssl Security >>> >>> Advisory >>> >>> The FreeBSD >>> >>> Project >>> >>> >>> >>> Topic: OpenSSL multiple vulnerabilities >>> >>> >>> >>> Category: contrib >>> >>> Module: openssl >>> >>> Announced: 2014-09-09 >>> >>> Affects: All supported versions of FreeBSD. >>> >>> Corrected: 2014-08-07 21:04:42 UTC (stable/10, 10.0-STABLE) >>> >>> 2014-09-09 10:09:46 UTC (releng/10.0, 10.0-RELEASE-p8) >>> >>> 2014-08-07 21:06:34 UTC (stable/9, 9.3-STABLE) >>> >>> 2014-09-09 10:13:46 UTC (releng/9.3, 9.3-RELEASE-p1) >>> >>> 2014-09-09 10:13:46 UTC (releng/9.2, 9.2-RELEASE-p11) >>> >>> 2014-09-09 10:13:46 UTC (releng/9.1, 9.1-RELEASE-p18) >>> >>> 2014-08-07 21:06:34 UTC (stable/8, 8.4-STABLE) >>> >>> 2014-09-09 10:13:46 UTC (releng/8.4, 8.4-RELEASE-p15) >>> >>> CVE Name: CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, >>> CVE-2014-3510, >>> >>> CVE-2014-3509, CVE-2014-3511, CVE-2014-3512, >>> CVE-2014-5139 >>> >>> >>> >>> For general information regarding FreeBSD Security Advisories, >>> >>> including descriptions of the fields above, security branches, and the >>> >>> following sections, please visit <URL:http://security.FreeBSD.org/>. >>> >>> >>> >>> I. Background >>> >>> >>> >>> FreeBSD includes software from the OpenSSL Project. The OpenSSL >>> Project is >>> >>> a collaborative effort to develop a robust, commercial-grade, >>> full-featured >>> >>> Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) >>> >>> and Transport Layer Security (TLS v1) protocols as well as a >>> full-strength >>> >>> general purpose cryptography library. >>> >>> >>> >>> II. Problem Description >>> >>> >>> >>> The receipt of a specifically crafted DTLS handshake message may cause >>> >>> OpenSSL >>> >>> to consume large amounts of memory. [CVE-2014-3506] >>> >>> >>> >>> The receipt of a specifically crafted DTLS packet could cause OpenSSL >>> to >>> >>> leak >>> >>> memory. [CVE-2014-3507] >>> >>> >>> >>> A flaw in OBJ_obj2txt may cause pretty printing functions such as >>> >>> X509_name_oneline, X509_name_print_ex et al. to leak some information >>> from >>> >>> the stack. [CVE-2014-3508] >>> >>> >>> >>> OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are >>> subject to >>> >>> a denial of service attack. [CVE-2014-3510] >>> >>> >>> >>> The following problems affect FreeBSD 10.0-RELEASE and later: >>> >>> >>> >>> If a multithreaded client connects to a malicious server using a >>> resumed >>> >>> session and the server sends an ec point format extension it could >>> write >>> >>> up to 255 bytes to freed memory. [CVE-2014-3509] >>> >>> >>> >>> A flaw in the OpenSSL SSL/TLS server code causes the server to >>> negotiate >>> >>> TLS 1.0 instead of higher protocol versions when the ClientHello >>> message >>> >>> is badly fragmented. [CVE-2014-3511] >>> >>> >>> >>> A malicious client or server can send invalid SRP parameters and >>> overrun >>> >>> an internal buffer. [CVE-2014-3512] >>> >>> >>> >>> A malicious server can crash the client with a NULL pointer >>> dereference by >>> >>> specifying a SRP ciphersuite even though it was not properly negotiated >>> >>> with the client. [CVE-2014-5139] >>> >>> >>> >>> III. Impact >>> >>> >>> >>> A remote attacker may be able to cause a denial of service (application >>> >>> crash, large memory consumption), obtain additional information, >>> >>> cause protocol downgrade. Additionally, a remote attacker may be able >>> >>> to run arbitrary code on a vulnerable system if the application has >>> been >>> >>> set up for SRP. >>> >>> >>> >>> IV. Workaround >>> >>> >>> >>> No workaround is available. >>> >>> >>> >>> V. Solution >>> >>> >>> >>> Perform one of the following: >>> >>> >>> >>> 1) Upgrade your vulnerable system to a supported FreeBSD stable or >>> >>> release / security branch (releng) dated after the correction date. >>> >>> >>> >>> 2) To update your vulnerable system via a source code patch: >>> >>> >>> >>> The following patches have been verified to apply to the applicable >>> >>> FreeBSD release branches. >>> >>> >>> >>> a) Download the relevant patch from the location below, and verify the >>> >>> detached PGP signature using your PGP utility. >>> >>> >>> >>> [FreeBSD 10.0] >>> >>> # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch >>> >>> # fetch >>> http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch.asc >>> >>> # gpg --verify openssl-10.0.patch.asc >>> >>> >>> >>> [FreeBSD 9.3] >>> >>> # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.3.patch >>> >>> # fetch >>> http://security.FreeBSD.org/patches/SA-14:18/openssl-9.3.patch.asc >>> >>> # gpg --verify openssl-9.3.patch.asc >>> >>> >>> >>> [FreeBSD 9.2, 9.1, 8.4] >>> >>> # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.patch >>> >>> # fetch >>> http://security.FreeBSD.org/patches/SA-14:18/openssl-9.patch.asc >>> >>> # gpg --verify openssl-9.patch.asc >>> >>> >>> >>> b) Apply the patch. Execute the following commands as root: >>> >>> >>> >>> # cd /usr/src >>> >>> # patch < /path/to/patch >>> >>> >>> >>> c) Recompile the operating system using buildworld and installworld as >>> >>> described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. >>> >>> >>> >>> Restart all deamons using the library, or reboot the system. >>> >>> >>> >>> 3) To update your vulnerable system via a binary patch: >>> >>> >>> >>> Systems running a RELEASE version of FreeBSD on the i386 or amd64 >>> >>> platforms can be updated via the freebsd-update(8) utility: >>> >>> >>> >>> # freebsd-update fetch >>> >>> # freebsd-update install >>> >>> >>> >>> VI. Correction details >>> >>> >>> >>> The following list contains the correction revision numbers for each >>> >>> affected branch. >>> >>> >>> >>> Branch/path >>> Revision >>> >>> - >>> ------------------------------------------------------------------------- >>> >>> stable/8/ >>> r269687 >>> >>> releng/8.4/ >>> r271305 >>> >>> stable/9/ >>> r269687 >>> >>> releng/9.1/ >>> r271305 >>> >>> releng/9.2/ >>> r271305 >>> >>> releng/9.3/ >>> r271305 >>> >>> stable/10/ >>> r269686 >>> >>> releng/10.0/ >>> r271304 >>> >>> - >>> ------------------------------------------------------------------------- >>> >>> >>> >>> To see which files were modified by a particular revision, run the >>> >>> following command, replacing NNNNNN with the revision number, on a >>> >>> machine with Subversion installed: >>> >>> >>> >>> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >>> >>> >>> >>> Or visit the following URL, replacing NNNNNN with the revision number: >>> >>> >>> >>> <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; >>> >>> >>> >>> VII. References >>> >>> >>> >>> <URL:https://www.openssl.org/news/secadv_20140806.txt>; >>> >>> >>> >>> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3506>; >>> >>> >>> >>> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3507>; >>> >>> >>> >>> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3508>; >>> >>> >>> >>> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3509>; >>> >>> >>> >>> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3510>; >>> >>> >>> >>> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511>; >>> >>> >>> >>> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3512>; >>> >>> >>> >>> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5139>; >>> >>> >>> >>> The latest revision of this advisory is available at >>> >>> <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:18.openssl.asc>; >>> >>> -----BEGIN PGP SIGNATURE----- >>> >>> >>> >>> iQIcBAEBCgAGBQJUDtUBAAoJEO1n7NZdz2rnOUoP/jNoEEPVt1RoVPQoOQc6vno5 >>> >>> 2HXcCDsu0ql3kCNIIZ7E6TddfduzV04EMzBrIgulg7eXft+Lnx6HlEgJOo7QLImc >>> >>> aWLWxjcbyby6wrbYOc+FLK11yx9/uZJF0VCdSeyzhy0EFD3tOZPsDMXKZmG7FRkg >>> >>> 6A7ENJU25Mx8V1myzHw/VfDwAHCtXHliFVVE0CUku55pYnlhMeetu/wuB6KYbmgV >>> >>> 1WUamiHEGl4Dh4Up7nGHYYm32kqZLaE+cf1Ovc2VGT98ZyXmCgDB4+8kkA/HZxxp >>> >>> DRgQlojeQhahee5MmzD+wMJXlq6dekoo+JVf22+Nb+oNmlKT6/UxtUhCwW11MLUV >>> >>> rnOMr3u1JCNvBc+3KroSmtFeEtqh7jx3Ag4w8lS5mJO+wX1/lilbsFxSS/9G65fy >>> >>> LqHUQSxkuDJ1bNzPfKreBPyUmQlG5t/3DonIDCF9r3sefDN+kxqe1+RwjdNRM0ov >>> >>> V7OH/AW1NBQtV/F/h0tKCcskvcJo9Q+inAohheLPnWkFj7F2tLNt5TAxsGy7WvFZ >>> >>> MuQSAXpZkdh7OkhAhBM3Xk+EOv7Qk7zZL5HJ1Lpm6kfJ8wSb4etoUV7oELaDMBz8 >>> >>> +9r+Vr9GtjSsec2a4tjNIixZKV9bzEhgKP5gsWD/JewhAzF+0bYNa9snOWxzpAYb >>> >>> j+eW9IT7pEAJK9DtIsDd >>> >>> =f4To >>> >>> -----END PGP SIGNATURE----- >>> >>> _______________________________________________ >>> >>> freebsd-security@freebsd.org mailing list >>> >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security >>> >>> To unsubscribe, send any mail to >>> "freebsd-security-unsubscribe@freebsd.org" >>> >>> >>> >>> >>> >> >> _______________________________________________ >> >> freebsd-stable@freebsd.org mailing list >> >> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >> >> To unsubscribe, send any mail to >> "freebsd-stable-unsubscribe@freebsd.org" >> > > > > --Share now a pigeon's flightBluebound along the ancient skies,Its women > forever hair and mammal,A Mediterranean town may ariseIf you rip apart a > pigeon's heart.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.xn03lbxhkndu52>