From owner-freebsd-security@FreeBSD.ORG Mon May 18 19:27:52 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 25C7312D for ; Mon, 18 May 2015 19:27:52 +0000 (UTC) Received: from smtp1.ms.mff.cuni.cz (ns.ms.mff.cuni.cz [195.113.20.71]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A35AE1895 for ; Mon, 18 May 2015 19:27:50 +0000 (UTC) Received: from kgw.obluda.cz ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id t4IItFaU050630 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Mon, 18 May 2015 20:55:21 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <555A3593.3010306@obluda.cz> Date: Mon, 18 May 2015 20:55:15 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1 MIME-Version: 1.0 To: freebsd-security Subject: Re: Forums.FreeBSD.org - SSL Issue? References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <55590817.1030507@obluda.cz> <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> <55591EE8.9070101@obluda.cz> <1431957148.2823348.271640449.22FB98B2@webmail.messagingengine.com> <555A228B.8080807@obluda.cz> <1431972278.2880231.271899561.7D0CC1CF@webmail.messagingengine.com> In-Reply-To: <1431972278.2880231.271899561.7D0CC1CF@webmail.messagingengine.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 19:27:52 -0000 On 05/18/15 20:04, Mark Felder: > Fetch also doesn't have a certificate trust store out of the box. fetch (nor SSL protocol itself) claim there is one here > FYI, you can set SSL_NO_SSL3 and SSL_NO_TLS1 in your env to stop this > behavior in fetch. If you add this to your base system image you can > lock this down pretty reliably. I'm not using fetch for transfer of secure data at all. But yes, the countermeasures you described can be part of SA I'm calling for. > Keep in mind that changing this default behavior in fetch would be a > POLA violation and possibly break scripts for countless users. > Comparatively, is the forums HTTPS also a POLA violation? Maybe! I can't > decide. :-( If I will be called to decide between POLA to be violated and security to be violated, I will vote for POLA violation all the times. Security have higher priority to be maintained. I'm sure it's not necessary to compare possible damages for those two scenarios. And no broken user script may happen in advance. No system will change behavior unless upgraded to patched version by responsible admin. He should be allowed to configure patched system to start fetch in former "security violation" mode (but not by default) if it will fit better their wishes. I consider it better than silence about the issue. But to say true, it's not my war - and no one seems to be with me here ;-) I have own source repository with custom system patches so I'm not tied to "official" decisions. No offense to FreeBSD team in any way! I'm just not average user. ;-) Dan