From owner-freebsd-security@FreeBSD.ORG  Sun May 17 20:50:33 2015
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 43BE814C;
 Sun, 17 May 2015 20:50:33 +0000 (UTC)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 30B461C07;
 Sun, 17 May 2015 20:50:32 +0000 (UTC)
Date: Sun, 17 May 2015 13:50:25 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
To: Mark Felder <feld@FreeBSD.org>
cc: freebsd-security@freebsd.org
Subject: Re: Forums.FreeBSD.org - SSL Issue?
In-Reply-To: <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com>
References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com>
 <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com>
 <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net>
 <20150514193706.V69409@sola.nimnet.asn.au>
 <F2460C80-969A-46DF-A44F-6C3D381ABDC3@patpro.net>
 <5554879D.7060601@obluda.cz>
 <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com>
 <5556E5DC.7090809@obluda.cz>
 <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com>
User-Agent: Alpine 2.11 (BSF 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 17 May 2015 20:50:33 -0000

> You're not understanding the situation: the vulnerability isn't in
> OpenSSL; it's a design flaw / weakness in the protocol. This is why
> everyone is running like mad from SSL 3.0 and TLS 1.0.

Right, there are two issues being discussed that should be separated.
The thread was originally about SSL version weaknesses and the rational
for that (keeping v1.0 around for the near term) was described quite
well.

The second issue was regarding base and ports versions of openssl and how
to coordinate between them.  I recommended an openssl_base port so that
security vulnerabilities (not necessarily protocol weaknesses) could be
more easily remediated (than installworld) and so 'pkg audit' could
report on those.  It was asserted and reasserted that this would be
infeasible, however, no example or reason was given.  Considering the
time to write and test patches is the same in either case it is still an
open question.

The problem of multiple versions of the same libraries and binaries,
however, remains a weakness in the FreeBSD security model.  This may be
one of the reasons why the EU recently recommended more widespread
adoption of OpenBSD (vs FreeBSD).  Either way, it is a design flaw that
can and should be solved in the most robust way possible.

Roger