Date: Sun, 17 May 2015 13:50:25 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: Mark Felder <feld@FreeBSD.org> Cc: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? In-Reply-To: <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <F2460C80-969A-46DF-A44F-6C3D381ABDC3@patpro.net> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com>
| previous in thread | raw e-mail | index | archive | help
> You're not understanding the situation: the vulnerability isn't in > OpenSSL; it's a design flaw / weakness in the protocol. This is why > everyone is running like mad from SSL 3.0 and TLS 1.0. Right, there are two issues being discussed that should be separated. The thread was originally about SSL version weaknesses and the rational for that (keeping v1.0 around for the near term) was described quite well. The second issue was regarding base and ports versions of openssl and how to coordinate between them. I recommended an openssl_base port so that security vulnerabilities (not necessarily protocol weaknesses) could be more easily remediated (than installworld) and so 'pkg audit' could report on those. It was asserted and reasserted that this would be infeasible, however, no example or reason was given. Considering the time to write and test patches is the same in either case it is still an open question. The problem of multiple versions of the same libraries and binaries, however, remains a weakness in the FreeBSD security model. This may be one of the reasons why the EU recently recommended more widespread adoption of OpenBSD (vs FreeBSD). Either way, it is a design flaw that can and should be solved in the most robust way possible. Roger
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>