From owner-freebsd-security@FreeBSD.ORG Thu Jun 5 15:57:56 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 54A1E5A9 for ; Thu, 5 Jun 2014 15:57:56 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3A8512D4A for ; Thu, 5 Jun 2014 15:57:56 +0000 (UTC) Received: from delphij-macbook.local (c-24-5-244-32.hsd1.ca.comcast.net [24.5.244.32]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id B8B9C1351E; Thu, 5 Jun 2014 08:57:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1401983875; bh=bRv20c7XaI8ZMSfhcW6L84Olf+lPKJaT4PJ6GaCi/+s=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=Xn5r6hbkRaOF00RRi8vjEVnwfGrpKwXbfsXfrb7HnCe47RCK/kwMcnd3jPdQ+Z+pd QlbhhtbDlng1p3b5JDZU/b0HvZsuArKUcg+aRedB9HvBoTWpE31YHH5itzLiywR+er /3LiVE5ZZ3KAmcuXhuwEsfLAwL+rczlO75M+JiIs= Message-ID: <53909383.50608@delphij.net> Date: Thu, 05 Jun 2014 08:57:55 -0700 From: Xin Li Reply-To: d@delphij.net Organization: The FreeBSD Project MIME-Version: 1.0 To: Jappe Reuling , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:14.openssl References: <201406051316.s55DGtGw041955@freefall.freebsd.org> <53908845.20900@lowlife.org> In-Reply-To: <53908845.20900@lowlife.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jun 2014 15:57:56 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 6/5/14, 8:09 AM, Jappe Reuling wrote: > Hi, > > One, my appologies if it's a stupid one, question: the advisory is > for DTLS, hence UDP TLS, right? DTLS should work with SCTP as well but most applications uses DTLS with UDP. Please note that this advisory have 4 issues and 2 of them were DTLS, 2 were TLS. > Normally you would run SSL (TLS a.o.) via TCP. So what would use > DTLS (in the base system) and could be vulnerable? A mailserver > using TLS and linked to the base system's openssl would be using > TCP...? The TLS ones are vulnerable to e.g. CVE-2014-0224 which allows MITM attack. Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTkJODAAoJEJW2GBstM+nsMuMP/i9u5iZqW1t3zHJ+GOg+GVF0 64wqViaCtCDad0ibHQw5Mv0otxPN+J4P7QPRRGBs1lzR/yWkjZMcjqCr6qcA8wSs KGFprvoslVU67sP5A/WQGFNPhy4IkxhhpWE/+ELBvt0qkO1J8x6mctgxbHmIg45p U6YHdh2SsY/ph2HgBOcG6lsTE3AY2xSZgCVfbHxzsioX3CoaXjpup/aSQ/mfzRJU WEtEuEyrJMiIs+tolXfaQWiPBMoGuwq8B87JJgcRaHEquMsFPeYejpk4nhYAdUlm BKdrfUbZBryYIQmpIP3yws47qFgdboqwCv7HLpXqbqVwiebx5Ioz1o07ukAAe+H5 99I/8G7DYwLRccdi4blaJZhYksiEYVMagW86DRlC/Vi/i3mQPfNHZhTO88qOgtOZ drQZeQo/3ExhgHWRa2ERToyEGntPZh1rIDAIbYh6ht4LH6VpjIvIfOQgVSHVvJjA ePFUasbC64BSXvnPEVz7awyzLJSb42fJS4vGQ4/DTbmTOP8pHW14WcxTZeA/W2j2 OPkEtlcQt8OOQlyzp05mqq/wcEFNmw8OAX+LdVU+4XwzGVq4vA467LBtHnk/J1kb uqf76t4M/j05Z4UfRV4QpYmmTlFWXa1MzjvVi3i/K0oxjiNyX9bPBkd6MLAo+dfl eX0INg7phQp+cre+Sd4c =28Xl -----END PGP SIGNATURE-----