From owner-freebsd-security@FreeBSD.ORG Sat May 16 06:38:42 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F31F0620 for ; Sat, 16 May 2015 06:38:42 +0000 (UTC) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7F5111EC2 for ; Sat, 16 May 2015 06:38:41 +0000 (UTC) X-SubmittedBy: id 100000045929 subject /C=CZ/O=Univerzita+20Karlova+20v+20Praze/CN=Dan+20Lukes/unstructuredName=100000045929 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20Personal+20CA+202 auth type TLS.MFF Received: from [100.65.40.107] (ip-37-188-136-85.eurotel.cz [37.188.136.85]) (authenticated) by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id t4G6cQrf005510 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Sat, 16 May 2015 08:38:37 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <5556E5DC.7090809@obluda.cz> Date: Sat, 16 May 2015 08:38:20 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1 MIME-Version: 1.0 To: freebsd-security Subject: Re: Forums.FreeBSD.org - SSL Issue? References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> In-Reply-To: <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 May 2015 06:38:43 -0000 Mark Felder wrote: >> Base OpenSSL in still supported releases is too old version and doesn't >> support TLS 1.2 as well. >> >> Either TLS 1.0 is so insecure and should not be used, or is secure >> enough for FreeBSD. > When the FreeBSD 8.0 (2009) and 9.0 (2012) releases were cut we didn't > have these vulnerabilities or problems. All security patches are released because of something discovered after release. So it is nothing new nor special. But it's not the matter of my comment. As far as I know, there has been no discussion on FreeBSD Security related to fact that FreeBSD 9 will not receive security patches for particular known security issue. Nor even announcement, if it has been considered no topic for discussion here. So I'm confused (as claimed in previous comment). Other the issue is not so severe, then I don't understand why TLS 1.0 needs to be disabled on forums. Or it is so severe so I don't understand why there is still no Security Advisory dedicated to it. Well, there may be no solution known - but even in such case the issue should be announced. Dan