From owner-freebsd-security@FreeBSD.ORG  Wed Mar 17 18:55:40 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A093116A4CE
	for <freebsd-security@freebsd.org>;
	Wed, 17 Mar 2004 18:55:40 -0800 (PST)
Received: from vista.netmemetic.com (bb-203-125-43-250.singnet.com.sg
	[203.125.43.250])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0F5F843D55
	for <freebsd-security@freebsd.org>;
	Wed, 17 Mar 2004 18:55:40 -0800 (PST)
	(envelope-from ngps@netmemetic.com)
Received: by vista.netmemetic.com (Postfix, from userid 100)
	id D1E7294D; Thu, 18 Mar 2004 10:54:34 +0800 (SGT)
Date: Thu, 18 Mar 2004 10:54:34 +0800
From: Ng Pheng Siong <ngps@netmemetic.com>
To: Rostislav Krasny <rosti_bsd@yahoo.com>
Message-ID: <20040318025434.GB875@vista.netmemetic.com>
References: <xzpn06fkm5d.fsf@dwp.des.no>
	<20040318022009.52877.qmail@web14804.mail.yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040318022009.52877.qmail@web14804.mail.yahoo.com>
User-Agent: Mutt/1.4.1i
cc: Dag-Erling =?unknown-8bit?Q?Sm=F8rgrav?= <des@des.no>
cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD-SA-04:05.openssl question
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2004 02:55:40 -0000

On Wed, Mar 17, 2004 at 06:20:09PM -0800, Rostislav Krasny wrote:
> --- Dag-Erling Sm?rgrav <des@des.no> wrote:
> > From the URL you mentioned: "Most applications have no ability to use
> > Kerberos ciphersuites and will therefore be unaffected."
> 
> Do you imply that applications with ability to use Kerberos
> ciphersuites are impossible to be implemented for current versions of FreeBSD?

The text before the above quoted "Most applications have no ability..."
read

  A remote attacker could perform a carefully crafted SSL/TLS handshake
  against a server configured to use Kerberos ciphersuites [...]

Instead of asking about impossibility in the abstract, ask if you do run
servers that support Kerberos cipthersuites and, if yes, how to configure
your software to not use them.

Cheers.

-- 
Ng Pheng Siong <ngps@netmemetic.com> 

http://firewall.rulemaker.net -+- Firewall Change Management & Version Control
http://sandbox.rulemaker.net/ngps -+- Open Source Python Crypto & SSL