From owner-freebsd-security@FreeBSD.ORG Sun May 17 23:06:22 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 001BD8B9 for ; Sun, 17 May 2015 23:06:21 +0000 (UTC) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7FC7F1A67 for ; Sun, 17 May 2015 23:06:21 +0000 (UTC) X-SubmittedBy: id 100000045929 subject /C=CZ/O=Univerzita+20Karlova+20v+20Praze/CN=Dan+20Lukes/unstructuredName=100000045929 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20Personal+20CA+202 auth type TLS.MFF Received: from kgw.obluda.cz ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id t4HN6GUq099364 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Mon, 18 May 2015 01:06:19 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <55591EE8.9070101@obluda.cz> Date: Mon, 18 May 2015 01:06:16 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <55590817.1030507@obluda.cz> <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> In-Reply-To: <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 23:06:22 -0000 On 05/18/15 00:00, Mark Felder: >> If TLS 1.0 is considered severe security issue AND system utilities are >> using it, why there is no Security Advisory describing this system >> vulnerability ? >> > > It's not a vulnerability in software, it's weakness in the protocol > design. Like protocol protocol downgrade triggered by MITM attack flaw or protocol design flaw in session renegotiation support. The first one addressed in FreeBSD-SA-14:23.openssl, the second one in FreeBSD-SA-09:15.ssl So the "is it protocol flaw or implementation bug" seems not to be true major criteria. OK, I wish I got best answer to my question possible. I'm not going to discuss SA issuing policy in this thread. Thank you. Dan