Date: Tue, 11 Oct 2005 09:26:46 -0700 From: Colin Percival <cperciva@freebsd.org> To: Ian G <iang@iang.org> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl Message-ID: <434BE7C6.4080605@freebsd.org> In-Reply-To: <434BCB75.2000402@iang.org> References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <434BCB75.2000402@iang.org>
index | next in thread | previous in thread | raw e-mail
Ian G wrote: > FreeBSD Security Advisories wrote: >> Applications which do not support SSLv2, have been configured to not >> permit the use of SSLv2, or do not use the SSL_OP_MSIE_SSLV2_RSA_PADDING >> or SSL_OP_ALL options are not affected. >> >> IV. Workaround >> >> No workaround is available. > > Isn't the workaround obviously to switch off V2? Disabling applications to not permit use of SSLv2 is a workaround. However, this is something which needs to be done on an application-by-application basis, and it is likely that there will be some applications will do not have any option for doing this. > In the phishing world - where users are being > exposed to losses in the billion dollar range > or so - we are crying out for the removal of v2. > Can this be done? SSL is supposed to negotiate the use of SSLv3 if it is supported by both the client and the server, so I don't see why disabling SSLv2 entirely would be useful aside from protecting against this vulnerability. Colin Percivalhelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?434BE7C6.4080605>