From owner-freebsd-security@FreeBSD.ORG Tue Oct 11 16:47:23 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2B5016A47F for ; Tue, 11 Oct 2005 16:47:22 +0000 (GMT) (envelope-from jacques@vidrine.us) Received: from mail.phi23.org (phi23.org [161.58.133.165]) by mx1.FreeBSD.org (Postfix) with ESMTP id 836E543D45 for ; Tue, 11 Oct 2005 16:47:22 +0000 (GMT) (envelope-from jacques@vidrine.us) Received: from [17.202.40.57] (A17-202-40-57.apple.com [17.202.40.57]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client did not present a certificate) by mail.phi23.org (Postfix) with ESMTP id 85B11250AD; Tue, 11 Oct 2005 16:47:21 +0000 (UTC) In-Reply-To: <434BCB75.2000402@iang.org> References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <434BCB75.2000402@iang.org> Mime-Version: 1.0 (Apple Message framework v734) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Jacques Vidrine Date: Tue, 11 Oct 2005 09:45:53 -0700 To: Ian G X-Mailer: Apple Mail (2.734) X-Mailman-Approved-At: Wed, 12 Oct 2005 12:43:15 +0000 Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2005 16:47:23 -0000 [Trimmed cc: to just the appropriate public mailing list.] On Oct 11, 2005, at 7:25 AM, Ian G wrote: > FreeBSD Security Advisories wrote: > > >> Applications which do not support SSLv2, have been configured to not >> permit the use of SSLv2, or do not use the >> SSL_OP_MSIE_SSLV2_RSA_PADDING >> or SSL_OP_ALL options are not affected. >> IV. Workaround >> No workaround is available. >> > > Isn't the workaround obviously to switch off V2? Yes. Sorry that wasn't mentioned. > SSL v2 should be disabled anyway. In the browser > world we have been actively moving to a position > of not delivering SSL v2 as enabled by default, > and we've been telling people to switch off SSL > v2 for some time in order to flush out any issues. > (none reported that I know of.) > > We *desparately* need this done so that servers > can be switched off SSL v2 so they can deliver > the SSL v3 hello so that we can start to use > virtual hosts. The ability to use more SSL > more frequently feeds into tools that defend > against phishing because they rely on the use > of certificates to cache identity; so this is > actually a highly desirable thing in security > terms. > > In the phishing world - where users are being > exposed to losses in the billion dollar range > or so - we are crying out for the removal of v2. > Can this be done? I agree. The SSLv3 specification was published in 1995 and quickly adopted. Support for SSLv3 seemed pretty much ubiquitous by 1999. SSLv2 has several well-known cryptographic weakness with real impact and should not be used. Summarizing [Rescorla 2000]: * An attacker may interfere with the SSLv2 protocol negotiation in order to force the selection of a weak suite of cryptographic algorithms. (This is the most severe problem for most installations, IMHO) * An attacker may inject a TCP FIN packet into an active SSLv2 session, causing data transfer to terminate. This termination will not be detected by the client or server. * The only message authentication code (MAC) algorithm available for SSLv2 is MD5. There have been several developments that have caused some cryptographers to become concerned about the security of MD5. * SSLv2 uses the same key for encryption and message authentication, so that any successful cryptographic attack is a total break. * A design flaw in SSLv2 client authentication may allow an attacker to hijack a client's credentials. I've been concerned enough to disable SSLv2 in most of my own installations. But now that it is clear that there are downgrade-to- SSLv2 attacks in some versions of OpenSSL (and probably some other SSL/TLS implementations), I'm even more concerned. Cheers, -- Jacques Vidrine [Rescorla 2000] Rescorla, Eric. _SSL and TLS: Designing and Building Secure Systems_. Addison-Wesley, 2000.