From owner-freebsd-security@FreeBSD.ORG Sun May 17 20:20:20 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3E34EB95 for ; Sun, 17 May 2015 20:20:20 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0EE491919 for ; Sun, 17 May 2015 20:20:19 +0000 (UTC) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 7406C20968 for ; Sun, 17 May 2015 16:20:12 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute4.internal (MEProxy); Sun, 17 May 2015 16:20:12 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=enbBi/8UaCjkBni yXvrRRNX6RFU=; b=N9x23vKMQPje2Cc5saTsJ/oumkyOiFf9l7f/ZR0zEooD2x1 KyrXv6Lh255KOPyEaIyuh7HMl9RvQkPEmZm3TvNrvMzBxPK6n/m0VXO1Kiqc3dbr tIVy4nFHTUY4C2fZDEkOEBA24Oc9ii+zaxzxy6xODlv2s+DsCv0jrHZDOHJk= Received: by web3.nyi.internal (Postfix, from userid 99) id 4E1D61013E0; Sun, 17 May 2015 16:20:12 -0400 (EDT) Message-Id: <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> X-Sasl-Enc: ggdfqEYIZ/dI5+R/BO+5J4s7G3fM5mNwOXUgeyzEo2T6 1431894012 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e7ca9928 Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Sun, 17 May 2015 15:20:12 -0500 In-Reply-To: <5556E5DC.7090809@obluda.cz> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 May 2015 20:20:20 -0000 On Sat, May 16, 2015, at 01:38, Dan Lukes wrote: > Mark Felder wrote: > >> Base OpenSSL in still supported releases is too old version and doesn't > >> support TLS 1.2 as well. > >> > >> Either TLS 1.0 is so insecure and should not be used, or is secure > >> enough for FreeBSD. > > > When the FreeBSD 8.0 (2009) and 9.0 (2012) releases were cut we didn't > > have these vulnerabilities or problems. > > All security patches are released because of something discovered after > release. So it is nothing new nor special. > > But it's not the matter of my comment. > > As far as I know, there has been no discussion on FreeBSD Security > related to fact that FreeBSD 9 will not receive security patches for > particular known security issue. Nor even announcement, if it has been > considered no topic for discussion here. > > So I'm confused (as claimed in previous comment). Other the issue is not > so severe, then I don't understand why TLS 1.0 needs to be disabled on > forums. Or it is so severe so I don't understand why there is still no > Security Advisory dedicated to it. Well, there may be no solution known > - but even in such case the issue should be announced. > > You're not understanding the situation: the vulnerability isn't in OpenSSL; it's a design flaw / weakness in the protocol. This is why everyone is running like mad from SSL 3.0 and TLS 1.0. If you want a fix for your entire OS, upgrade to FreeBSD 10 which has a newer version of OpenSSL in base that includes TLS 1.1 and 1.2. It's not ABI compatible with older versions. You can't just wedge it into FreeBSD 8 or 9. Sorry.