Date: Sat, 19 Dec 2009 14:13:45 +0100 From: "H. Ingow" <hingow@googlemail.com> To: Maxim Dounin <mdounin@mdounin.ru> Cc: freebsd-stable@freebsd.org, Chris H <chris#@1command.com> Subject: Re: SSL appears to be broken in 8-STABLE/RELEASE Message-ID: <f7206c210912190513s57781f86gff4c4b90f1ac7b3b@mail.gmail.com> In-Reply-To: <20091219122914.GJ43547@mdounin.ru> References: <f7206c210912190058u36222a04ge474279af10c9990@mail.gmail.com> <20091219111339.GH43547@mdounin.ru> <0edc3b334fc301f51193354f7a0da61b.HRCIM@webmail.1command.com> <20091219122914.GJ43547@mdounin.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry if my proposal won't fit in this case and thanks, Maxim for
clearing out what exactly
to be aware of to have applications run with openssl .0.9.8l
But for the sake of completeness /usr/ports/security/tor-devel is very
well capable of handling
re-negotiation.
see src/common/tortls.c and grep for ALLOW_UNSAFE_LEGACY_RENEGOTIATION
you'll get
[......]
#ifdef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
/* Yes, we know what we are doing here. No, we do not treat a renegotiation
* as authenticating any earlier-received data. */
tls->ssl->s3->flags |= SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
#else
(void)tls;
#endif
[.....]
and#ifdef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
tls->ssl->s3->flags&=~SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
#else
(void)tls;
#endif
[.....]
So that' the second one . Hopefully more to come .
Sorry for the confusion I may have caused, but it was tempting to
believe it was easy dealing
with hat matter.
On 12/19/09, Maxim Dounin <mdounin@mdounin.ru> wrote:
> Hello!
>
> On Sat, Dec 19, 2009 at 03:23:57AM -0800, Chris H wrote:
>
>> On Sat, December 19, 2009 3:13 am, Maxim Dounin wrote:
>> > Hello!
>> >
>> >
>> > On Sat, Dec 19, 2009 at 09:58:49AM +0100, H. Ingow wrote:
>> >
>> >
>> > [...]
>> >
>> >
>> >> Please try to compile your application against the version of openssl
>> >> available in the ports tree.
>> >>
>> >> As you already mentioned (SA-09:15) breaks renegotiation with base
>> >> system's
>> >> openssl by fixing a security issue ( it actually does).
>> >>
>> >> Prerequisite for the following is, of course, to install
>> >> /usr/ports/security/openssl which will give you
>> >> openssl 0.9.8l . (You do not necessarily have to remove the base
>> >> openssl)
>> >
>> > OpenSSL 0.9.8l has renegotiation disabled too, this won't help.
>> >
>> >
>> > The only difference is that 0.9.8l has some means to re-enable
>> > legacy renegotiation which may be utilized by applications which are
>> > aware of the
>> > problem.
>> Which is exactly what's required to implement your previous suggestion. :)
>
> No, my previous suggestion is unrelated.
>
> Additionally, to re-enable renegotiation in openssl 0.9.8l you
> need an application which is able to set
> SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s->s3->flags. I
> haven't seen any yet, and google codesearch is able
> to find only one such app (proftpd).
>
> Maxim Dounin
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f7206c210912190513s57781f86gff4c4b90f1ac7b3b>