From owner-freebsd-security Wed Jul 31 12:22:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 520C437B400 for ; Wed, 31 Jul 2002 12:22:47 -0700 (PDT) Received: from mighty.grot.org (mighty.grot.org [204.182.56.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09FAE43E3B for ; Wed, 31 Jul 2002 12:22:47 -0700 (PDT) (envelope-from aditya@grot.org) Received: by mighty.grot.org (Postfix, from userid 515) id 873275D1C; Wed, 31 Jul 2002 12:22:41 -0700 (PDT) Newsgroups: gmane.comp.apache.mod-ssl.user Cc: freebsd-security@freebsd.org Subject: temporary workaround for most recent openssl remote exploit? X-Archive: encrypt From: Aditya Date: Wed, 31 Jul 2002 12:22:40 -0700 Message-ID: Organization: Grot Free Lines: 23 User-Agent: Gnus/5.090007 (Oort Gnus v0.07) XEmacs/21.4 (Common Lisp, i386--freebsd) Cancel-Lock: sha1:tQ2z/mW695KCP8JrHT/5LK+4tQA= MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Posted-To: gmane.comp.apache.mod-ssl.user Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following message is a courtesy copy of an article that has been posted to gmane.comp.apache.mod-ssl.user as well. The FreeBSD Security Advisory FreeBSD-SA-02:33.openssl says: IV. Workaround Disabling the SSL2 protocol in server applications should render server exploits harmless. There is no known workaround for client applications. and while I'm upgrading my systems, to limit my window of exposure, if I restart my Apache servers, with: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP:+eNULL (change +SSLv2 to -SSLv2) rather than the default: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL will that be sufficient as a workaround? Thanks, Adi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message