Date: Thu, 19 Oct 2023 09:27:44 -0400 From: Robert Fitzpatrick <robert@webtent.org> To: FreeBSD <freebsd-questions@freebsd.org> Subject: Re: SSL/TLS remove/disable renegotiation capabilities Message-ID: <333aa0a9-c0ba-b29c-780d-359016dd31de@webtent.org> In-Reply-To: <54c94101-0930-dddf-4d66-1516b6d870b1@webtent.org> References: <54c94101-0930-dddf-4d66-1516b6d870b1@webtent.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------4D15F58DC8D9DF92BF8F32C9 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit > Robert Fitzpatrick <mailto:robert@webtent.org> > Thursday, October 19, 2023 9:18 AM > As a result of a recent vulnerability scan using the GVM 22.4 scanning > FreeBSD 13.2, it is recommended to remove/disable renegotiation > capabilities altogether from/in the affected SSL/TLS service for a > MEDIUM vulnerability CVE-2011-1473. Looking further t the CVE shows > DISPUTED, furthermore, it looks like our version of OpenSSL is not > affected? robert@gvm:~$ openssl version OpenSSL 3.0.2 15 Mar 2022 > (Library: OpenSSL 3.0.2 15 Mar 2022) CVE: > http://cve.circl.lu/cve/CVE-2011-1473 The host manager of the FreeBSD > VM will want this mitigated, how could I apply the > |SSL_OP_NO_RENEGOTIATION|option to openssl or other solution? Actually, this is the result of a second CVE: http://cve.circl.lu/cve/CVE-2011-5094 -- Thanks, Robert --------------4D15F58DC8D9DF92BF8F32C9 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 PGh0bWwgdGhlbWU9ImRlZmF1bHQtbGlnaHQiIGljb25zZXQ9ImNvbG9yIj48aGVhZD4NCjxt ZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFy c2V0PXV0Zi04Ij4NCjwvaGVhZD48Ym9keSB0ZXh0PSIjMDAwMDAwIj48c3Bhbj48L3NwYW4+ PGJyPg0KPGJsb2NrcXVvdGUgdHlwZT0iY2l0ZSIgDQpjaXRlPSJtaWQ6NTRjOTQxMDEtMDkz MC1kZGRmLTRkNjYtMTUxNmI2ZDg3MGIxQHdlYnRlbnQub3JnIiANCnN0eWxlPSJib3JkZXI6 IDBweCBub25lICEgaW1wb3J0YW50OyI+DQogIDxkaXYgeG1sbnM9Imh0dHA6Ly93d3cudzMu b3JnLzE5OTkveGh0bWwiIGNsYXNzPSJfX3BiQ29udkhyIiANCnN0eWxlPSJtYXJnaW46MzBw eCAyNXB4IDEwcHggMjVweDsiPjxkaXYgDQpzdHlsZT0id2lkdGg6MTAwJTtib3JkZXItdG9w OjJweCBzb2xpZCANCnJnYmEoMTQ2LDE1NCwxNjMsMC43KTtwYWRkaW5nLXRvcDoxMHB4OyI+ ICAgPGRpdiANCnN0eWxlPSJkaXNwbGF5OmlubGluZS1ibG9jazt3aGl0ZS1zcGFjZTpub3dy YXA7dmVydGljYWwtYWxpZ246bWlkZGxlO3dpZHRoOjQ5JTsiPg0KICAgCTxhIHN0eWxlPSJj b2xvcjojNDg1NjY0IA0KIWltcG9ydGFudDtwYWRkaW5nLXJpZ2h0OjZweDtmb250LXdlaWdo dDo1MDA7dGV4dC1kZWNvcmF0aW9uOm5vbmUgDQohaW1wb3J0YW50OyIgaHJlZj0ibWFpbHRv OnJvYmVydEB3ZWJ0ZW50Lm9yZyIgbW96LWRvLW5vdC1zZW5kPSJ0cnVlIj5Sb2JlcnQNCiBG aXR6cGF0cmljazwvYT48L2Rpdj4gICA8ZGl2IA0Kc3R5bGU9ImRpc3BsYXk6aW5saW5lLWJs b2NrO3doaXRlLXNwYWNlOm5vd3JhcDt2ZXJ0aWNhbC1hbGlnbjptaWRkbGU7d2lkdGg6NDgl O3RleHQtYWxpZ246DQogcmlnaHQ7Ij4gICAgIDxmb250IGNvbG9yPSIjOTA5QUE0Ij48c3Bh biBzdHlsZT0icGFkZGluZy1sZWZ0OjZweCI+VGh1cnNkYXksDQogT2N0b2JlciAxOSwgMjAy MyA5OjE4IEFNPC9zcGFuPjwvZm9udD48L2Rpdj4gICAgPC9kaXY+PC9kaXY+DQogIDxkaXYg eG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiIGNsYXNzPSJfX3BiQ29udkJv ZHkiIA0KX19wYnJtcXVvdGVzPSJ0cnVlIiANCnN0eWxlPSJjb2xvcjojOTA5QUE0O21hcmdp bi1sZWZ0OjI0cHg7bWFyZ2luLXJpZ2h0OjI0cHg7Ij4NCjxtZXRhIGh0dHAtZXF1aXY9ImNv bnRlbnQtdHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCkFzIGEg cmVzdWx0IG9mIGEgcmVjZW50IHZ1bG5lcmFiaWxpdHkgc2NhbiB1c2luZyB0aGUgR1ZNIDIy LjQgc2Nhbm5pbmcgDQpGcmVlQlNEIDEzLjIsIGl0IGlzIHJlY29tbWVuZGVkIDxzcGFuIHN0 eWxlPSJjb2xvcjogcmdiKDAsIDAsIDApOyBmb250LWZhbWlseTogVmVyZGFuYSwgc2Fucy1z ZXJpZjsgZm9udC1zaXplOiAxMnB4OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFu dC1saWdhdHVyZXM6IG5vcm1hbDsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgZm9udC13 ZWlnaHQ6IDQwMDsgbGV0dGVyLXNwYWNpbmc6IG5vcm1hbDsgb3JwaGFuczogMjsgdGV4dC1h bGlnbjogbGVmdDsgdGV4dC1pbmRlbnQ6IDBweDsgdGV4dC10cmFuc2Zvcm06IG5vbmU7IHdp ZG93czogMjsgd29yZC1zcGFjaW5nOiAwcHg7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6 IDBweDsgd2hpdGUtc3BhY2U6IHByZS1saW5lOyBiYWNrZ3JvdW5kLWNvbG9yOiByZ2IoMjU1 LCAyNTUsIDI1NSk7IHRleHQtZGVjb3JhdGlvbi10aGlja25lc3M6IGluaXRpYWw7IHRleHQt ZGVjb3JhdGlvbi1zdHlsZTogaW5pdGlhbDsgdGV4dC1kZWNvcmF0aW9uLWNvbG9yOiBpbml0 aWFsOyBkaXNwbGF5OiBpbmxpbmUgIWltcG9ydGFudDsgZmxvYXQ6IG5vbmU7Ij4gdG8gcmVt b3ZlL2Rpc2FibGUgcmVuZWdvdGlhdGlvbiBjYXBhYmlsaXRpZXMgYWx0b2dldGhlciBmcm9t L2luIHRoZSBhZmZlY3RlZCBTU0wvVExTIHNlcnZpY2UgZm9yIGEgTUVESVVNIHZ1bG5lcmFi aWxpdHkgQ1ZFLTIwMTEtMTQ3My4gTG9va2luZyBmdXJ0aGVyIHQgdGhlIENWRSBzaG93cyBE SVNQVVRFRCwgZnVydGhlcm1vcmUsIGl0IGxvb2tzIGxpa2Ugb3VyIHZlcnNpb24gb2YgT3Bl blNTTCBpcyBub3QgYWZmZWN0ZWQ/DQoNCnJvYmVydEBndm06fiQgb3BlbnNzbCB2ZXJzaW9u DQpPcGVuU1NMIDMuMC4yIDE1IE1hciAyMDIyIChMaWJyYXJ5OiBPcGVuU1NMIDMuMC4yIDE1 IE1hciAyMDIyKQ0KDQpDVkU6IDxhIGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhy ZWY9Imh0dHA6Ly9jdmUuY2lyY2wubHUvY3ZlL0NWRS0yMDExLTE0NzMiIG1vei1kby1ub3Qt c2VuZD0idHJ1ZSI+aHR0cDovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMTEtMTQ3MzwvYT4N Cg0KVGhlIGhvc3QgbWFuYWdlciBvZiB0aGUgRnJlZUJTRCBWTSB3aWxsIHdhbnQgdGhpcyBt aXRpZ2F0ZWQsIGhvdyBjb3VsZCBJIGFwcGx5IHRoZSA8L3NwYW4+PGJyPg0KICA8c3BhbiBz dHlsZT0iY29sb3I6IHJnYigwLCAwLCAwKTsgZm9udC1mYW1pbHk6IFZlcmRhbmEsIHNhbnMt c2VyaWY7IGZvbnQtc2l6ZTogMTJweDsgZm9udC1zdHlsZTogbm9ybWFsOyBmb250LXZhcmlh bnQtbGlnYXR1cmVzOiBub3JtYWw7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IGZvbnQt d2VpZ2h0OiA0MDA7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IG9ycGhhbnM6IDI7IHRleHQt YWxpZ246IGxlZnQ7IHRleHQtaW5kZW50OiAwcHg7IHRleHQtdHJhbnNmb3JtOiBub25lOyB3 aWRvd3M6IDI7IHdvcmQtc3BhY2luZzogMHB4OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRo OiAwcHg7IHdoaXRlLXNwYWNlOiBwcmUtbGluZTsgYmFja2dyb3VuZC1jb2xvcjogcmdiKDI1 NSwgMjU1LCAyNTUpOyB0ZXh0LWRlY29yYXRpb24tdGhpY2tuZXNzOiBpbml0aWFsOyB0ZXh0 LWRlY29yYXRpb24tc3R5bGU6IGluaXRpYWw7IHRleHQtZGVjb3JhdGlvbi1jb2xvcjogaW5p dGlhbDsgZGlzcGxheTogaW5saW5lICFpbXBvcnRhbnQ7IGZsb2F0OiBub25lOyI+PGNvZGUg c3R5bGU9Im1hcmdpbjogMHB4OyBwYWRkaW5nOiB2YXIoLS1zdTIpIHZhcigtLXN1NCk7IGJv cmRlcjogMHB4OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudC1saWdhdHVyZXM6 IG5vcm1hbDsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgZm9udC12YXJpYW50LW51bWVy aWM6IGluaGVyaXQ7IGZvbnQtdmFyaWFudC1lYXN0LWFzaWFuOiBpbmhlcml0OyBmb250LXZh cmlhbnQtYWx0ZXJuYXRlczogaW5oZXJpdDsgZm9udC12YXJpYW50LXBvc2l0aW9uOiBpbmhl cml0OyBmb250LXdlaWdodDogNDAwOyBmb250LXN0cmV0Y2g6IGluaGVyaXQ7IGxpbmUtaGVp Z2h0OiBpbmhlcml0OyBmb250LWZhbWlseTogdmFyKC0tZmYtbW9ubyk7IGZvbnQtb3B0aWNh bC1zaXppbmc6IGluaGVyaXQ7IGZvbnQta2VybmluZzogaW5oZXJpdDsgZm9udC1mZWF0dXJl LXNldHRpbmdzOiBpbmhlcml0OyBmb250LXZhcmlhdGlvbi1zZXR0aW5nczogaW5oZXJpdDsg Zm9udC1zaXplOiB2YXIoLS1fcHItY29kZS1mcyk7IHZlcnRpY2FsLWFsaWduOiBiYXNlbGlu ZTsgYm94LXNpemluZzogaW5oZXJpdDsgYmFja2dyb3VuZC1jb2xvcjogdmFyKC0tYmxhY2st MDc1KTsgd2hpdGUtc3BhY2U6IHByZS13cmFwOyBjb2xvcjogcmdiKDM1LCAzOCwgNDEpOyBi b3JkZXItcmFkaXVzOiB2YXIoLS1ici1zbSk7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IG9y cGhhbnM6IDI7IHRleHQtYWxpZ246IGxlZnQ7IHRleHQtaW5kZW50OiAwcHg7IHRleHQtdHJh bnNmb3JtOiBub25lOyB3aWRvd3M6IDI7IHdvcmQtc3BhY2luZzogMHB4OyAtd2Via2l0LXRl eHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHRleHQtZGVjb3JhdGlvbi10aGlja25lc3M6IGluaXRp YWw7IHRleHQtZGVjb3JhdGlvbi1zdHlsZTogaW5pdGlhbDsgdGV4dC1kZWNvcmF0aW9uLWNv bG9yOiBpbml0aWFsOyI+U1NMX09QX05PX1JFTkVHT1RJQVRJT048L2NvZGU+PHNwYW4gc3R5 bGU9ImNvbG9yOiByZ2IoMzUsIDM4LCA0MSk7IGZvbnQtZmFtaWx5OiAtYXBwbGUtc3lzdGVt LCBCbGlua01hY1N5c3RlbUZvbnQsICZxdW90O1NlZ29lIFVJIEFkanVzdGVkJnF1b3Q7LCAm cXVvdDtTZWdvZSBVSSZxdW90OywgJnF1b3Q7TGliZXJhdGlvbiBTYW5zJnF1b3Q7LCBzYW5z LXNlcmlmOyBmb250LXNpemU6IDE1cHg7IGZvbnQtc3R5bGU6IG5vcm1hbDsgZm9udC12YXJp YW50LWxpZ2F0dXJlczogbm9ybWFsOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyBmb250 LXdlaWdodDogNDAwOyBsZXR0ZXItc3BhY2luZzogbm9ybWFsOyBvcnBoYW5zOiAyOyB0ZXh0 LWFsaWduOiBsZWZ0OyB0ZXh0LWluZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsg d2lkb3dzOiAyOyB3b3JkLXNwYWNpbmc6IDBweDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0 aDogMHB4OyB3aGl0ZS1zcGFjZTogbm9ybWFsOyBiYWNrZ3JvdW5kLWNvbG9yOiByZ2IoMjU1 LCAyNTUsIDI1NSk7IHRleHQtZGVjb3JhdGlvbi10aGlja25lc3M6IGluaXRpYWw7IHRleHQt ZGVjb3JhdGlvbi1zdHlsZTogaW5pdGlhbDsgdGV4dC1kZWNvcmF0aW9uLWNvbG9yOiBpbml0 aWFsOyBkaXNwbGF5OiBpbmxpbmUgIWltcG9ydGFudDsgZmxvYXQ6IG5vbmU7Ij48c3Bhbj4g b3B0aW9uIHRvIG9wZW5zc2wgb3Igb3RoZXIgc29sdXRpb24/DQoNCjwvc3Bhbj48L3NwYW4+ PC9zcGFuPg0KICANCg0KDQoNCiAgPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQpBY3R1YWxseSwg dGhpcyBpcyB0aGUgcmVzdWx0IG9mIGEgc2Vjb25kIENWRTogDQo8YSBjbGFzcz0ibW96LXR4 dC1saW5rLWZyZWV0ZXh0IiBocmVmPSJodHRwOi8vY3ZlLmNpcmNsLmx1L2N2ZS9DVkUtMjAx MS01MDk0Ij5odHRwOi8vY3ZlLmNpcmNsLmx1L2N2ZS9DVkUtMjAxMS01MDk0PC9hPjxicj4N Cjxicj4NCjxkaXYgY2xhc3M9Im1vei1zaWduYXR1cmUiPi0tIDxicj5UaGFua3MsIFJvYmVy dDxicj4NCjxicj4NCjwvZGl2Pg0KPC9ib2R5PjwvaHRt bD4= --------------4D15F58DC8D9DF92BF8F32C9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?333aa0a9-c0ba-b29c-780d-359016dd31de>