Date: Tue, 11 Oct 2005 09:45:53 -0700 From: Jacques Vidrine <jacques@vidrine.us> To: Ian G <iang@iang.org> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl Message-ID: <B9EA75B5-B5AE-4164-A91E-061E5AECCC5B@vidrine.us> In-Reply-To: <434BCB75.2000402@iang.org> References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <434BCB75.2000402@iang.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[Trimmed cc: to just the appropriate public mailing list.] On Oct 11, 2005, at 7:25 AM, Ian G wrote: > FreeBSD Security Advisories wrote: > > >> Applications which do not support SSLv2, have been configured to not >> permit the use of SSLv2, or do not use the >> SSL_OP_MSIE_SSLV2_RSA_PADDING >> or SSL_OP_ALL options are not affected. >> IV. Workaround >> No workaround is available. >> > > Isn't the workaround obviously to switch off V2? Yes. Sorry that wasn't mentioned. > SSL v2 should be disabled anyway. In the browser > world we have been actively moving to a position > of not delivering SSL v2 as enabled by default, > and we've been telling people to switch off SSL > v2 for some time in order to flush out any issues. > (none reported that I know of.) > > We *desparately* need this done so that servers > can be switched off SSL v2 so they can deliver > the SSL v3 hello so that we can start to use > virtual hosts. The ability to use more SSL > more frequently feeds into tools that defend > against phishing because they rely on the use > of certificates to cache identity; so this is > actually a highly desirable thing in security > terms. > > In the phishing world - where users are being > exposed to losses in the billion dollar range > or so - we are crying out for the removal of v2. > Can this be done? I agree. The SSLv3 specification was published in 1995 and quickly adopted. Support for SSLv3 seemed pretty much ubiquitous by 1999. SSLv2 has several well-known cryptographic weakness with real impact and should not be used. Summarizing [Rescorla 2000]: * An attacker may interfere with the SSLv2 protocol negotiation in order to force the selection of a weak suite of cryptographic algorithms. (This is the most severe problem for most installations, IMHO) * An attacker may inject a TCP FIN packet into an active SSLv2 session, causing data transfer to terminate. This termination will not be detected by the client or server. * The only message authentication code (MAC) algorithm available for SSLv2 is MD5. There have been several developments that have caused some cryptographers to become concerned about the security of MD5. * SSLv2 uses the same key for encryption and message authentication, so that any successful cryptographic attack is a total break. * A design flaw in SSLv2 client authentication may allow an attacker to hijack a client's credentials. I've been concerned enough to disable SSLv2 in most of my own installations. But now that it is clear that there are downgrade-to- SSLv2 attacks in some versions of OpenSSL (and probably some other SSL/TLS implementations), I'm even more concerned. Cheers, -- Jacques Vidrine <jacques@vidrine.us> [Rescorla 2000] Rescorla, Eric. _SSL and TLS: Designing and Building Secure Systems_. Addison-Wesley, 2000.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B9EA75B5-B5AE-4164-A91E-061E5AECCC5B>