From nobody Thu Oct 19 13:18:40 2023 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SB7Zw5Byyz4xRL8 for ; Thu, 19 Oct 2023 13:18:48 +0000 (UTC) (envelope-from robert@webtent.org) Received: from mx3.webtent.net (mx3.webtent.net [208.38.145.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4SB7Zv4tKrz4M8y for ; Thu, 19 Oct 2023 13:18:47 +0000 (UTC) (envelope-from robert@webtent.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=webtent.org header.s=201611 header.b=nDCcrgh9; spf=pass (mx1.freebsd.org: domain of robert@webtent.org designates 208.38.145.5 as permitted sender) smtp.mailfrom=robert@webtent.org; dmarc=pass (policy=reject) header.from=webtent.org Received: from localhost (localhost [127.0.0.1]) by mx3.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange) with ESMTP id 63BD2D79EB for ; Thu, 19 Oct 2023 09:18:45 -0400 (EDT) Received: from mx3.webtent.net ([127.0.0.1]) by localhost (mx3.webtent.net [127.0.0.1]) (maiad, port 10024) with ESMTP id 93823-05 for ; Thu, 19 Oct 2023 09:18:44 -0400 (EDT) Received: from [192.168.1.50] (ns2.webtent.net [144.129.73.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: robert@mx3.webtent.net) by mx3.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange) with ESMTPSA id 9D317D7997 for ; Thu, 19 Oct 2023 09:18:44 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=webtent.org; s=201611; t=1697721524; bh=cnqMX/pEol+UfZCbFSl+z/cAyy2rFwlnZn35BdozDgM=; h=To:From:Subject:Date; b=nDCcrgh99Ki4fOQ3YHr0jLkmTgaJqtmPclfF9lTxZjzdetrqkF0RJtJXV2S4GMzg7 xp+55FP2tT7XOC3iRooi5rlfwkaFnmg2D25ERybOlf/G4GVUGB8clZbj0tjc+vXrpi xjIk+3wrkvtIzvIPQwEnEhTbT9WrR+Cht33wShafMp8AkGmKh3SUoTsQtC631VJB0T ds5mlXMFkBliQxrWvZmhC8K70EwL/PrRebBDd04c9lDFpw2J2+8ZPyLJLfayFyy+wk Be61UbYFTpPSXrwMHc9881KTgziaiwRG2GF98m+gx8lIetgGtMjiaLuJR/+ZYpI4Oi cibS87cEzLdSg== To: FreeBSD From: Robert Fitzpatrick Subject: SSL/TLS remove/disable renegotiation capabilities Message-ID: <54c94101-0930-dddf-4d66-1516b6d870b1@webtent.org> Date: Thu, 19 Oct 2023 09:18:40 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/7.0.60 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="------------2E43597E7EA4350BFCEBE5A6" Content-Language: en-US X-Virus-Scanned: WebTent Mailguard 1.0.4_3 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.58 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_BASE64_TEXT_BOGUS(1.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.983]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; DMARC_POLICY_ALLOW(-0.50)[webtent.org,reject]; RCVD_IN_DNSWL_MED(-0.20)[208.38.145.5:from]; R_DKIM_ALLOW(-0.20)[webtent.org:s=201611]; R_SPF_ALLOW(-0.20)[+mx]; MIME_BASE64_TEXT(0.10)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; FREEFALL_USER(0.00)[robert]; FROM_HAS_DN(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:16724, ipnet:208.38.144.0/22, country:US]; TO_DN_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROM(0.00)[]; DKIM_TRACE(0.00)[webtent.org:+]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org] X-Rspamd-Queue-Id: 4SB7Zv4tKrz4M8y This is a multi-part message in MIME format. --------------2E43597E7EA4350BFCEBE5A6 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit As a result of a recent vulnerability scan using the GVM 22.4 scanning FreeBSD 13.2, it is recommended to remove/disable renegotiation capabilities altogether from/in the affected SSL/TLS service for a MEDIUM vulnerability CVE-2011-1473. Looking further t the CVE shows DISPUTED, furthermore, it looks like our version of OpenSSL is not affected? robert@gvm:~$ openssl version OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) CVE: http://cve.circl.lu/cve/CVE-2011-1473 The host manager of the FreeBSD VM will want this mitigated, how could I apply the |SSL_OP_NO_RENEGOTIATION|option to openssl or other solution? -- Thanks, Robert --------------2E43597E7EA4350BFCEBE5A6 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 PGh0bWwgdGhlbWU9ImRlZmF1bHQtbGlnaHQiIGljb25zZXQ9ImNvbG9yIj48aGVhZD4NCjxt ZXRhIGh0dHAtZXF1aXY9ImNvbnRlbnQtdHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFy c2V0PXV0Zi04Ij48L2hlYWQ+PGJvZHkNCiB0ZXh0PSIjMDAwMDAwIj4NCkFzIGEgcmVzdWx0 IG9mIGEgcmVjZW50IHZ1bG5lcmFiaWxpdHkgc2NhbiB1c2luZyB0aGUgR1ZNIDIyLjQgc2Nh bm5pbmcgDQpGcmVlQlNEIDEzLjIsIGl0IGlzIHJlY29tbWVuZGVkIDxzcGFuIHN0eWxlPSJj b2xvcjogcmdiKDAsIDAsIDApOyBmb250LWZhbWlseTogVmVyZGFuYSwgc2Fucy1zZXJpZjsg Zm9udC1zaXplOiAxMnB4OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudC1saWdh dHVyZXM6IG5vcm1hbDsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgZm9udC13ZWlnaHQ6 IDQwMDsgbGV0dGVyLXNwYWNpbmc6IG5vcm1hbDsgb3JwaGFuczogMjsgdGV4dC1hbGlnbjog bGVmdDsgdGV4dC1pbmRlbnQ6IDBweDsgdGV4dC10cmFuc2Zvcm06IG5vbmU7IHdpZG93czog Mjsgd29yZC1zcGFjaW5nOiAwcHg7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsg d2hpdGUtc3BhY2U6IHByZS1saW5lOyBiYWNrZ3JvdW5kLWNvbG9yOiByZ2IoMjU1LCAyNTUs IDI1NSk7IHRleHQtZGVjb3JhdGlvbi10aGlja25lc3M6IGluaXRpYWw7IHRleHQtZGVjb3Jh dGlvbi1zdHlsZTogaW5pdGlhbDsgdGV4dC1kZWNvcmF0aW9uLWNvbG9yOiBpbml0aWFsOyBk aXNwbGF5OiBpbmxpbmUgIWltcG9ydGFudDsgZmxvYXQ6IG5vbmU7Ij4gdG8gcmVtb3ZlL2Rp c2FibGUgcmVuZWdvdGlhdGlvbiBjYXBhYmlsaXRpZXMgYWx0b2dldGhlciBmcm9tL2luIHRo ZSBhZmZlY3RlZCBTU0wvVExTIHNlcnZpY2UgZm9yIGEgTUVESVVNIHZ1bG5lcmFiaWxpdHkg Q1ZFLTIwMTEtMTQ3My4gTG9va2luZyBmdXJ0aGVyIHQgdGhlIENWRSBzaG93cyBESVNQVVRF RCwgZnVydGhlcm1vcmUsIGl0IGxvb2tzIGxpa2Ugb3VyIHZlcnNpb24gb2YgT3BlblNTTCBp cyBub3QgYWZmZWN0ZWQ/DQoNCnJvYmVydEBndm06fiQgb3BlbnNzbCB2ZXJzaW9uDQpPcGVu U1NMIDMuMC4yIDE1IE1hciAyMDIyIChMaWJyYXJ5OiBPcGVuU1NMIDMuMC4yIDE1IE1hciAy MDIyKQ0KDQpDVkU6IDxhIGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhyZWY9Imh0 dHA6Ly9jdmUuY2lyY2wubHUvY3ZlL0NWRS0yMDExLTE0NzMiPmh0dHA6Ly9jdmUuY2lyY2wu bHUvY3ZlL0NWRS0yMDExLTE0NzM8L2E+DQoNClRoZSBob3N0IG1hbmFnZXIgb2YgdGhlIEZy ZWVCU0QgVk0gd2lsbCB3YW50IHRoaXMgbWl0aWdhdGVkLCBob3cgY291bGQgSSBhcHBseSB0 aGUgPC9zcGFuPjxicj4NCiAgPHNwYW4gc3R5bGU9ImNvbG9yOiByZ2IoMCwgMCwgMCk7IGZv bnQtZmFtaWx5OiBWZXJkYW5hLCBzYW5zLXNlcmlmOyBmb250LXNpemU6IDEycHg7IGZvbnQt c3R5bGU6IG5vcm1hbDsgZm9udC12YXJpYW50LWxpZ2F0dXJlczogbm9ybWFsOyBmb250LXZh cmlhbnQtY2Fwczogbm9ybWFsOyBmb250LXdlaWdodDogNDAwOyBsZXR0ZXItc3BhY2luZzog bm9ybWFsOyBvcnBoYW5zOiAyOyB0ZXh0LWFsaWduOiBsZWZ0OyB0ZXh0LWluZGVudDogMHB4 OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2lkb3dzOiAyOyB3b3JkLXNwYWNpbmc6IDBweDsg LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3aGl0ZS1zcGFjZTogcHJlLWxpbmU7 IGJhY2tncm91bmQtY29sb3I6IHJnYigyNTUsIDI1NSwgMjU1KTsgdGV4dC1kZWNvcmF0aW9u LXRoaWNrbmVzczogaW5pdGlhbDsgdGV4dC1kZWNvcmF0aW9uLXN0eWxlOiBpbml0aWFsOyB0 ZXh0LWRlY29yYXRpb24tY29sb3I6IGluaXRpYWw7IGRpc3BsYXk6IGlubGluZSAhaW1wb3J0 YW50OyBmbG9hdDogbm9uZTsiPjxjb2RlIHN0eWxlPSJtYXJnaW46IDBweDsgcGFkZGluZzog dmFyKC0tc3UyKSB2YXIoLS1zdTQpOyBib3JkZXI6IDBweDsgZm9udC1zdHlsZTogbm9ybWFs OyBmb250LXZhcmlhbnQtbGlnYXR1cmVzOiBub3JtYWw7IGZvbnQtdmFyaWFudC1jYXBzOiBu b3JtYWw7IGZvbnQtdmFyaWFudC1udW1lcmljOiBpbmhlcml0OyBmb250LXZhcmlhbnQtZWFz dC1hc2lhbjogaW5oZXJpdDsgZm9udC12YXJpYW50LWFsdGVybmF0ZXM6IGluaGVyaXQ7IGZv bnQtdmFyaWFudC1wb3NpdGlvbjogaW5oZXJpdDsgZm9udC13ZWlnaHQ6IDQwMDsgZm9udC1z dHJldGNoOiBpbmhlcml0OyBsaW5lLWhlaWdodDogaW5oZXJpdDsgZm9udC1mYW1pbHk6IHZh cigtLWZmLW1vbm8pOyBmb250LW9wdGljYWwtc2l6aW5nOiBpbmhlcml0OyBmb250LWtlcm5p bmc6IGluaGVyaXQ7IGZvbnQtZmVhdHVyZS1zZXR0aW5nczogaW5oZXJpdDsgZm9udC12YXJp YXRpb24tc2V0dGluZ3M6IGluaGVyaXQ7IGZvbnQtc2l6ZTogdmFyKC0tX3ByLWNvZGUtZnMp OyB2ZXJ0aWNhbC1hbGlnbjogYmFzZWxpbmU7IGJveC1zaXppbmc6IGluaGVyaXQ7IGJhY2tn cm91bmQtY29sb3I6IHZhcigtLWJsYWNrLTA3NSk7IHdoaXRlLXNwYWNlOiBwcmUtd3JhcDsg Y29sb3I6IHJnYigzNSwgMzgsIDQxKTsgYm9yZGVyLXJhZGl1czogdmFyKC0tYnItc20pOyBs ZXR0ZXItc3BhY2luZzogbm9ybWFsOyBvcnBoYW5zOiAyOyB0ZXh0LWFsaWduOiBsZWZ0OyB0 ZXh0LWluZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2lkb3dzOiAyOyB3b3Jk LXNwYWNpbmc6IDBweDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB0ZXh0LWRl Y29yYXRpb24tdGhpY2tuZXNzOiBpbml0aWFsOyB0ZXh0LWRlY29yYXRpb24tc3R5bGU6IGlu aXRpYWw7IHRleHQtZGVjb3JhdGlvbi1jb2xvcjogaW5pdGlhbDsiPlNTTF9PUF9OT19SRU5F R09USUFUSU9OPC9jb2RlPjxzcGFuIHN0eWxlPSJjb2xvcjogcmdiKDM1LCAzOCwgNDEpOyBm b250LWZhbWlseTogLWFwcGxlLXN5c3RlbSwgQmxpbmtNYWNTeXN0ZW1Gb250LCAmcXVvdDtT ZWdvZSBVSSBBZGp1c3RlZCZxdW90OywgJnF1b3Q7U2Vnb2UgVUkmcXVvdDssICZxdW90O0xp YmVyYXRpb24gU2FucyZxdW90Oywgc2Fucy1zZXJpZjsgZm9udC1zaXplOiAxNXB4OyBmb250 LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudC1saWdhdHVyZXM6IG5vcm1hbDsgZm9udC12 YXJpYW50LWNhcHM6IG5vcm1hbDsgZm9udC13ZWlnaHQ6IDQwMDsgbGV0dGVyLXNwYWNpbmc6 IG5vcm1hbDsgb3JwaGFuczogMjsgdGV4dC1hbGlnbjogbGVmdDsgdGV4dC1pbmRlbnQ6IDBw eDsgdGV4dC10cmFuc2Zvcm06IG5vbmU7IHdpZG93czogMjsgd29yZC1zcGFjaW5nOiAwcHg7 IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd2hpdGUtc3BhY2U6IG5vcm1hbDsg YmFja2dyb3VuZC1jb2xvcjogcmdiKDI1NSwgMjU1LCAyNTUpOyB0ZXh0LWRlY29yYXRpb24t dGhpY2tuZXNzOiBpbml0aWFsOyB0ZXh0LWRlY29yYXRpb24tc3R5bGU6IGluaXRpYWw7IHRl eHQtZGVjb3JhdGlvbi1jb2xvcjogaW5pdGlhbDsgZGlzcGxheTogaW5saW5lICFpbXBvcnRh bnQ7IGZsb2F0OiBub25lOyI+PHNwYW4+IG9wdGlvbiB0byBvcGVuc3NsIG9yIG90aGVyIHNv bHV0aW9uPw0KDQo8L3NwYW4+PC9zcGFuPjwvc3Bhbj4NCiAgPGRpdiBjbGFzcz0ibW96LXNp Z25hdHVyZSI+LS0gPGJyPlRoYW5rcywgUm9iZXJ0PGJyPg0KPGJyPg0KICA8L2Rpdj4NCjwv Ym9keT4NCjwvaHRt bD4= --------------2E43597E7EA4350BFCEBE5A6--