Date: Mon, 18 May 2015 01:06:16 +0200 From: Dan Lukes <dan@obluda.cz> To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? Message-ID: <55591EE8.9070101@obluda.cz> In-Reply-To: <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <F2460C80-969A-46DF-A44F-6C3D381ABDC3@patpro.net> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <55590817.1030507@obluda.cz> <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 05/18/15 00:00, Mark Felder: >> If TLS 1.0 is considered severe security issue AND system utilities are >> using it, why there is no Security Advisory describing this system >> vulnerability ? >> > > It's not a vulnerability in software, it's weakness in the protocol > design. Like protocol protocol downgrade triggered by MITM attack flaw or protocol design flaw in session renegotiation support. The first one addressed in FreeBSD-SA-14:23.openssl, the second one in FreeBSD-SA-09:15.ssl So the "is it protocol flaw or implementation bug" seems not to be true major criteria. OK, I wish I got best answer to my question possible. I'm not going to discuss SA issuing policy in this thread. Thank you. Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55591EE8.9070101>