From owner-freebsd-security@FreeBSD.ORG Tue Oct 11 16:26:48 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50FEF16A41F for ; Tue, 11 Oct 2005 16:26:48 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3FF443D48 for ; Tue, 11 Oct 2005 16:26:47 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd2mr2so.prod.shaw.ca (pd2mr2so-qfe3.prod.shaw.ca [10.0.141.109]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IO7000E6F0N2JE0@l-daemon> for freebsd-security@freebsd.org; Tue, 11 Oct 2005 10:26:47 -0600 (MDT) Received: from pn2ml8so.prod.shaw.ca ([10.0.121.152]) by pd2mr2so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IO7006UKF0NK650@pd2mr2so.prod.shaw.ca> for freebsd-security@freebsd.org; Tue, 11 Oct 2005 10:26:47 -0600 (MDT) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0IO7001U1F0M4A@l-daemon> for freebsd-security@freebsd.org; Tue, 11 Oct 2005 10:26:47 -0600 (MDT) Date: Tue, 11 Oct 2005 09:26:46 -0700 From: Colin Percival In-reply-to: <434BCB75.2000402@iang.org> To: Ian G Message-id: <434BE7C6.4080605@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.92.1.0 References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <434BCB75.2000402@iang.org> User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051001) Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2005 16:26:48 -0000 Ian G wrote: > FreeBSD Security Advisories wrote: >> Applications which do not support SSLv2, have been configured to not >> permit the use of SSLv2, or do not use the SSL_OP_MSIE_SSLV2_RSA_PADDING >> or SSL_OP_ALL options are not affected. >> >> IV. Workaround >> >> No workaround is available. > > Isn't the workaround obviously to switch off V2? Disabling applications to not permit use of SSLv2 is a workaround. However, this is something which needs to be done on an application-by-application basis, and it is likely that there will be some applications will do not have any option for doing this. > In the phishing world - where users are being > exposed to losses in the billion dollar range > or so - we are crying out for the removal of v2. > Can this be done? SSL is supposed to negotiate the use of SSLv3 if it is supported by both the client and the server, so I don't see why disabling SSLv2 entirely would be useful aside from protecting against this vulnerability. Colin Percival