From owner-freebsd-security@FreeBSD.ORG Sun May 17 20:56:53 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 29B1129C for ; Sun, 17 May 2015 20:56:53 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ED0C11CED for ; Sun, 17 May 2015 20:56:52 +0000 (UTC) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 07ACB206F1 for ; Sun, 17 May 2015 16:56:52 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute2.internal (MEProxy); Sun, 17 May 2015 16:56:52 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=xakhKar/MBSW6ta cPjAlU3D8yho=; b=qVP5Jj2aWqSoxk4PZihgQjOeW1XKt2f2VAAYEFgAKMHYfLN sEJlEyt/TbmiUuv3afn008wIVmWtJF6zIbTwIOSRppEYp/TvHULXJAMM0/1QIkqx jR6zlNr2wM3gYJO08eEQgL3XrYrNobk9lg25f+alwHbijxadeZdB2rCjvTgc= Received: by web3.nyi.internal (Postfix, from userid 99) id C1A321015B9; Sun, 17 May 2015 16:56:51 -0400 (EDT) Message-Id: <1431896211.1954759.271044297.00C7D719@webmail.messagingengine.com> X-Sasl-Enc: 5IwK+BHNx6cgXZ+UAIB7p9+JVRRiwoDCo3gIkfffTpEs 1431896211 From: Mark Felder To: Roger Marquis Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e7ca9928 Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Sun, 17 May 2015 15:56:51 -0500 In-Reply-To: References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 20:56:53 -0000 On Sun, May 17, 2015, at 15:50, Roger Marquis wrote: > > You're not understanding the situation: the vulnerability isn't in > > OpenSSL; it's a design flaw / weakness in the protocol. This is why > > everyone is running like mad from SSL 3.0 and TLS 1.0. > > Right, there are two issues being discussed that should be separated. > The thread was originally about SSL version weaknesses and the rational > for that (keeping v1.0 around for the near term) was described quite > well. > > The second issue was regarding base and ports versions of openssl and how > to coordinate between them. I recommended an openssl_base port so that > security vulnerabilities (not necessarily protocol weaknesses) could be > more easily remediated (than installworld) and so 'pkg audit' could > report on those. It was asserted and reasserted that this would be > infeasible, however, no example or reason was given. Considering the > time to write and test patches is the same in either case it is still an > open question. > Again, this is not possible. You can't just "replace" the base OpenSSL. That port or package would also have to replace every binary and library in the base system linked to an OpenSSL library such as libcrypt with a version that was built against the updated OpenSSL. You might as well fork FreeBSD at this point. > The problem of multiple versions of the same libraries and binaries, > however, remains a weakness in the FreeBSD security model. This may be > one of the reasons why the EU recently recommended more widespread > adoption of OpenBSD (vs FreeBSD). Either way, it is a design flaw that > can and should be solved in the most robust way possible. > > Roger OpenBSD can do this because they roll a new release every 6 months. They don't support an OS release train for 5 years.