Date: Sun, 17 May 2015 15:56:51 -0500 From: Mark Felder <feld@FreeBSD.org> To: Roger Marquis <marquis@roble.com> Cc: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? Message-ID: <1431896211.1954759.271044297.00C7D719@webmail.messagingengine.com> In-Reply-To: <cmu-lmtpd-294856-1431895835-6@sloti22t01> References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <F2460C80-969A-46DF-A44F-6C3D381ABDC3@patpro.net> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <cmu-lmtpd-294856-1431895835-6@sloti22t01>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, May 17, 2015, at 15:50, Roger Marquis wrote: > > You're not understanding the situation: the vulnerability isn't in > > OpenSSL; it's a design flaw / weakness in the protocol. This is why > > everyone is running like mad from SSL 3.0 and TLS 1.0. > > Right, there are two issues being discussed that should be separated. > The thread was originally about SSL version weaknesses and the rational > for that (keeping v1.0 around for the near term) was described quite > well. > > The second issue was regarding base and ports versions of openssl and how > to coordinate between them. I recommended an openssl_base port so that > security vulnerabilities (not necessarily protocol weaknesses) could be > more easily remediated (than installworld) and so 'pkg audit' could > report on those. It was asserted and reasserted that this would be > infeasible, however, no example or reason was given. Considering the > time to write and test patches is the same in either case it is still an > open question. > Again, this is not possible. You can't just "replace" the base OpenSSL. That port or package would also have to replace every binary and library in the base system linked to an OpenSSL library such as libcrypt with a version that was built against the updated OpenSSL. You might as well fork FreeBSD at this point. > The problem of multiple versions of the same libraries and binaries, > however, remains a weakness in the FreeBSD security model. This may be > one of the reasons why the EU recently recommended more widespread > adoption of OpenBSD (vs FreeBSD). Either way, it is a design flaw that > can and should be solved in the most robust way possible. > > Roger OpenBSD can do this because they roll a new release every 6 months. They don't support an OS release train for 5 years.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1431896211.1954759.271044297.00C7D719>