Date: Sun, 17 May 2015 17:00:10 -0500 From: Mark Felder <feld@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? Message-ID: <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> In-Reply-To: <55590817.1030507@obluda.cz> References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <F2460C80-969A-46DF-A44F-6C3D381ABDC3@patpro.net> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <55590817.1030507@obluda.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, May 17, 2015, at 16:28, Dan Lukes wrote: > On 05/17/15 22:20, Mark Felder: > > You're not understanding the situation: the vulnerability isn't in > > OpenSSL; it's a design flaw / weakness in the protocol. > > Sorry, my English seems to be so poor so you don't understand my very > simple question. You are still answering other questions I didn't asked. > > Last attempt. I will try ti make question as simple as possible. If it > will not help I will become silent. > > TLS 1.0 *protocol* is buggy, new protocol has been implemented in new > version of OpenSSL, but such version will not be imported into FreeBSD 9 > because of ABI incompatibility. Instead old version of OpenSSL and > vulnerable protocol is still used by base system libraries and > utilities. So base system IS affected by known vulnerability. > > Thus I'm asking. > > If TLS 1.0 is considered severe security issue AND system utilities are > using it, why there is no Security Advisory describing this system > vulnerability ? > It's not a vulnerability in software, it's weakness in the protocol design. By your logic we should have SAs for all of the following in the base system: hashes: MD5 SHA1 default passwd hash in FreeBSD 8: md5crypt (though phk did request a CVE to help usher its death) any openssl cipher using the following: MD5 SHA1 DES 3DES IDEA I'm sure there are even more examples. None of these problems fit the definition required to issue an SA. They're just a violation of widely-accepted Best Current Practices.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1431900010.1965646.271069369.67E0F082>