From owner-freebsd-security@FreeBSD.ORG Wed Nov 18 07:19:02 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 378531065676 for ; Wed, 18 Nov 2009 07:19:02 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id C45B38FC1A for ; Wed, 18 Nov 2009 07:19:01 +0000 (UTC) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id nAI7IuOw020506; Wed, 18 Nov 2009 07:18:56 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk nAI7IuOw020506 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1258528736; bh=SL5qv5zEmdrxE7CBU66hUbYIJArogzQpXLKh81M2rfc=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4B039FDF.4010704@infracaninophile.co.uk>|Date:=20W ed,=2018=20Nov=202009=2007:18:55=20+0000|From:=20Matthew=20Seaman= 20|Organization:=20Infracaninophi le|User-Agent:=20Thunderbird=202.0.0.23=20(X11/20090823)|MIME-Vers ion:=201.0|To:=20Daniel=20|CC:=20freebsd-security@fre ebsd.org|Subject:=20Re:=20Openssl=20TLS=20Reneg=20"Bug"|References :=20<1e50fb510911170347t59ba964dhf3110980a5e70161@mail.gmail.com>| In-Reply-To:=20<1e50fb510911170347t59ba964dhf3110980a5e70161@mail. gmail.com>|X-Enigmail-Version:=200.95.6|Content-Type:=20multipart/ signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"application /pgp-signature"=3B=0D=0A=20boundary=3D"------------enig153885142E3 0B08B0AB1F060"; b=UkMN1yQbZapqsYm8Vq6z0VTt7nzrXR4V6hIpRFmbtoUupvcT2bXBBQoiGrJJI7fte opCGUvIYGTv6ReVmp6hezLUBBWZbsyiLoAe0YvT1YrRDvnFGNgo/kC6GCAR7Af9ZLI oOckhYmO7J64cT2oU+h/DyFJKZOzeMmafblgHcs4= X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host localhost [IPv6:::1] claimed to be happy-idiot-talk.infracaninophile.co.uk Message-ID: <4B039FDF.4010704@infracaninophile.co.uk> Date: Wed, 18 Nov 2009 07:18:55 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.23 (X11/20090823) MIME-Version: 1.0 To: Daniel References: <1e50fb510911170347t59ba964dhf3110980a5e70161@mail.gmail.com> In-Reply-To: <1e50fb510911170347t59ba964dhf3110980a5e70161@mail.gmail.com> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig153885142E30B08B0AB1F060" X-Virus-Scanned: clamav-milter 0.95.3 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-security@freebsd.org Subject: Re: Openssl TLS Reneg "Bug" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Nov 2009 07:19:02 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig153885142E30B08B0AB1F060 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Daniel wrote: > Dear List, > new here so sorry if I am missing any important points. I was > wondering#: Does anyone know of the status of the "amended" openssl > packages for FreeBSD. I'd like to try running our site with "reneg > off", but I can't seem to find any notion of this on freebsd sites ? > Any ideas, pointers ? The only way of doing that at present is to use openssl-0.9.8l which has simply had the renegotiation stuff diked out of it. That's available= as the security/openssl port, but be aware that you will have to=20 rebuild any SSL-aware application to link against the shlibs it installs. The fix in 0.9.8l is an interim measure which cripples certain openssl functionality: installing it may cause websites to malfunction, so make sure you have good backups and have thought about how you can back the change out if needed. openssl-0.9.8m will provide the corrected renegotiation mechanisms as described in=20 https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renego= tiate.txt However, 0.9.8m has not yet been released. I'd assume that this will probably be the subject of a FreeBSD Security Advisory once the fixes are available, and that supported FreeBSD branches will be updated to 0.9.8m or otherwise patched to the same effect in the base system. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig153885142E30B08B0AB1F060 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAksDn+AACgkQ8Mjk52CukIwG8gCfW9Tpgy6D64DA/Li2fzMUvv/g Yc8AoIdcA3UgLo8WvKt+Xq2kpD/dzI/R =D5I1 -----END PGP SIGNATURE----- --------------enig153885142E30B08B0AB1F060--