Date: Thu, 19 Oct 2023 09:18:40 -0400 From: Robert Fitzpatrick <robert@webtent.org> To: FreeBSD <freebsd-questions@freebsd.org> Subject: SSL/TLS remove/disable renegotiation capabilities Message-ID: <54c94101-0930-dddf-4d66-1516b6d870b1@webtent.org>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------2E43597E7EA4350BFCEBE5A6 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit As a result of a recent vulnerability scan using the GVM 22.4 scanning FreeBSD 13.2, it is recommended to remove/disable renegotiation capabilities altogether from/in the affected SSL/TLS service for a MEDIUM vulnerability CVE-2011-1473. Looking further t the CVE shows DISPUTED, furthermore, it looks like our version of OpenSSL is not affected? robert@gvm:~$ openssl version OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) CVE: http://cve.circl.lu/cve/CVE-2011-1473 The host manager of the FreeBSD VM will want this mitigated, how could I apply the |SSL_OP_NO_RENEGOTIATION|option to openssl or other solution? -- Thanks, Robert --------------2E43597E7EA4350BFCEBE5A6 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 PGh0bWwgdGhlbWU9ImRlZmF1bHQtbGlnaHQiIGljb25zZXQ9ImNvbG9yIj48aGVhZD4NCjxt ZXRhIGh0dHAtZXF1aXY9ImNvbnRlbnQtdHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFy c2V0PXV0Zi04Ij48L2hlYWQ+PGJvZHkNCiB0ZXh0PSIjMDAwMDAwIj4NCkFzIGEgcmVzdWx0 IG9mIGEgcmVjZW50IHZ1bG5lcmFiaWxpdHkgc2NhbiB1c2luZyB0aGUgR1ZNIDIyLjQgc2Nh bm5pbmcgDQpGcmVlQlNEIDEzLjIsIGl0IGlzIHJlY29tbWVuZGVkIDxzcGFuIHN0eWxlPSJj b2xvcjogcmdiKDAsIDAsIDApOyBmb250LWZhbWlseTogVmVyZGFuYSwgc2Fucy1zZXJpZjsg Zm9udC1zaXplOiAxMnB4OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudC1saWdh dHVyZXM6IG5vcm1hbDsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgZm9udC13ZWlnaHQ6 IDQwMDsgbGV0dGVyLXNwYWNpbmc6IG5vcm1hbDsgb3JwaGFuczogMjsgdGV4dC1hbGlnbjog bGVmdDsgdGV4dC1pbmRlbnQ6IDBweDsgdGV4dC10cmFuc2Zvcm06IG5vbmU7IHdpZG93czog Mjsgd29yZC1zcGFjaW5nOiAwcHg7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsg d2hpdGUtc3BhY2U6IHByZS1saW5lOyBiYWNrZ3JvdW5kLWNvbG9yOiByZ2IoMjU1LCAyNTUs IDI1NSk7IHRleHQtZGVjb3JhdGlvbi10aGlja25lc3M6IGluaXRpYWw7IHRleHQtZGVjb3Jh dGlvbi1zdHlsZTogaW5pdGlhbDsgdGV4dC1kZWNvcmF0aW9uLWNvbG9yOiBpbml0aWFsOyBk aXNwbGF5OiBpbmxpbmUgIWltcG9ydGFudDsgZmxvYXQ6IG5vbmU7Ij4gdG8gcmVtb3ZlL2Rp c2FibGUgcmVuZWdvdGlhdGlvbiBjYXBhYmlsaXRpZXMgYWx0b2dldGhlciBmcm9tL2luIHRo ZSBhZmZlY3RlZCBTU0wvVExTIHNlcnZpY2UgZm9yIGEgTUVESVVNIHZ1bG5lcmFiaWxpdHkg Q1ZFLTIwMTEtMTQ3My4gTG9va2luZyBmdXJ0aGVyIHQgdGhlIENWRSBzaG93cyBESVNQVVRF RCwgZnVydGhlcm1vcmUsIGl0IGxvb2tzIGxpa2Ugb3VyIHZlcnNpb24gb2YgT3BlblNTTCBp cyBub3QgYWZmZWN0ZWQ/DQoNCnJvYmVydEBndm06fiQgb3BlbnNzbCB2ZXJzaW9uDQpPcGVu U1NMIDMuMC4yIDE1IE1hciAyMDIyIChMaWJyYXJ5OiBPcGVuU1NMIDMuMC4yIDE1IE1hciAy MDIyKQ0KDQpDVkU6IDxhIGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhyZWY9Imh0 dHA6Ly9jdmUuY2lyY2wubHUvY3ZlL0NWRS0yMDExLTE0NzMiPmh0dHA6Ly9jdmUuY2lyY2wu bHUvY3ZlL0NWRS0yMDExLTE0NzM8L2E+DQoNClRoZSBob3N0IG1hbmFnZXIgb2YgdGhlIEZy ZWVCU0QgVk0gd2lsbCB3YW50IHRoaXMgbWl0aWdhdGVkLCBob3cgY291bGQgSSBhcHBseSB0 aGUgPC9zcGFuPjxicj4NCiAgPHNwYW4gc3R5bGU9ImNvbG9yOiByZ2IoMCwgMCwgMCk7IGZv bnQtZmFtaWx5OiBWZXJkYW5hLCBzYW5zLXNlcmlmOyBmb250LXNpemU6IDEycHg7IGZvbnQt c3R5bGU6IG5vcm1hbDsgZm9udC12YXJpYW50LWxpZ2F0dXJlczogbm9ybWFsOyBmb250LXZh cmlhbnQtY2Fwczogbm9ybWFsOyBmb250LXdlaWdodDogNDAwOyBsZXR0ZXItc3BhY2luZzog bm9ybWFsOyBvcnBoYW5zOiAyOyB0ZXh0LWFsaWduOiBsZWZ0OyB0ZXh0LWluZGVudDogMHB4 OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2lkb3dzOiAyOyB3b3JkLXNwYWNpbmc6IDBweDsg LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB3aGl0ZS1zcGFjZTogcHJlLWxpbmU7 IGJhY2tncm91bmQtY29sb3I6IHJnYigyNTUsIDI1NSwgMjU1KTsgdGV4dC1kZWNvcmF0aW9u LXRoaWNrbmVzczogaW5pdGlhbDsgdGV4dC1kZWNvcmF0aW9uLXN0eWxlOiBpbml0aWFsOyB0 ZXh0LWRlY29yYXRpb24tY29sb3I6IGluaXRpYWw7IGRpc3BsYXk6IGlubGluZSAhaW1wb3J0 YW50OyBmbG9hdDogbm9uZTsiPjxjb2RlIHN0eWxlPSJtYXJnaW46IDBweDsgcGFkZGluZzog dmFyKC0tc3UyKSB2YXIoLS1zdTQpOyBib3JkZXI6IDBweDsgZm9udC1zdHlsZTogbm9ybWFs OyBmb250LXZhcmlhbnQtbGlnYXR1cmVzOiBub3JtYWw7IGZvbnQtdmFyaWFudC1jYXBzOiBu b3JtYWw7IGZvbnQtdmFyaWFudC1udW1lcmljOiBpbmhlcml0OyBmb250LXZhcmlhbnQtZWFz dC1hc2lhbjogaW5oZXJpdDsgZm9udC12YXJpYW50LWFsdGVybmF0ZXM6IGluaGVyaXQ7IGZv bnQtdmFyaWFudC1wb3NpdGlvbjogaW5oZXJpdDsgZm9udC13ZWlnaHQ6IDQwMDsgZm9udC1z dHJldGNoOiBpbmhlcml0OyBsaW5lLWhlaWdodDogaW5oZXJpdDsgZm9udC1mYW1pbHk6IHZh cigtLWZmLW1vbm8pOyBmb250LW9wdGljYWwtc2l6aW5nOiBpbmhlcml0OyBmb250LWtlcm5p bmc6IGluaGVyaXQ7IGZvbnQtZmVhdHVyZS1zZXR0aW5nczogaW5oZXJpdDsgZm9udC12YXJp YXRpb24tc2V0dGluZ3M6IGluaGVyaXQ7IGZvbnQtc2l6ZTogdmFyKC0tX3ByLWNvZGUtZnMp OyB2ZXJ0aWNhbC1hbGlnbjogYmFzZWxpbmU7IGJveC1zaXppbmc6IGluaGVyaXQ7IGJhY2tn cm91bmQtY29sb3I6IHZhcigtLWJsYWNrLTA3NSk7IHdoaXRlLXNwYWNlOiBwcmUtd3JhcDsg Y29sb3I6IHJnYigzNSwgMzgsIDQxKTsgYm9yZGVyLXJhZGl1czogdmFyKC0tYnItc20pOyBs ZXR0ZXItc3BhY2luZzogbm9ybWFsOyBvcnBoYW5zOiAyOyB0ZXh0LWFsaWduOiBsZWZ0OyB0 ZXh0LWluZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2lkb3dzOiAyOyB3b3Jk LXNwYWNpbmc6IDBweDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4OyB0ZXh0LWRl Y29yYXRpb24tdGhpY2tuZXNzOiBpbml0aWFsOyB0ZXh0LWRlY29yYXRpb24tc3R5bGU6IGlu aXRpYWw7IHRleHQtZGVjb3JhdGlvbi1jb2xvcjogaW5pdGlhbDsiPlNTTF9PUF9OT19SRU5F R09USUFUSU9OPC9jb2RlPjxzcGFuIHN0eWxlPSJjb2xvcjogcmdiKDM1LCAzOCwgNDEpOyBm b250LWZhbWlseTogLWFwcGxlLXN5c3RlbSwgQmxpbmtNYWNTeXN0ZW1Gb250LCAmcXVvdDtT ZWdvZSBVSSBBZGp1c3RlZCZxdW90OywgJnF1b3Q7U2Vnb2UgVUkmcXVvdDssICZxdW90O0xp YmVyYXRpb24gU2FucyZxdW90Oywgc2Fucy1zZXJpZjsgZm9udC1zaXplOiAxNXB4OyBmb250 LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudC1saWdhdHVyZXM6IG5vcm1hbDsgZm9udC12 YXJpYW50LWNhcHM6IG5vcm1hbDsgZm9udC13ZWlnaHQ6IDQwMDsgbGV0dGVyLXNwYWNpbmc6 IG5vcm1hbDsgb3JwaGFuczogMjsgdGV4dC1hbGlnbjogbGVmdDsgdGV4dC1pbmRlbnQ6IDBw eDsgdGV4dC10cmFuc2Zvcm06IG5vbmU7IHdpZG93czogMjsgd29yZC1zcGFjaW5nOiAwcHg7 IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgd2hpdGUtc3BhY2U6IG5vcm1hbDsg YmFja2dyb3VuZC1jb2xvcjogcmdiKDI1NSwgMjU1LCAyNTUpOyB0ZXh0LWRlY29yYXRpb24t dGhpY2tuZXNzOiBpbml0aWFsOyB0ZXh0LWRlY29yYXRpb24tc3R5bGU6IGluaXRpYWw7IHRl eHQtZGVjb3JhdGlvbi1jb2xvcjogaW5pdGlhbDsgZGlzcGxheTogaW5saW5lICFpbXBvcnRh bnQ7IGZsb2F0OiBub25lOyI+PHNwYW4+IG9wdGlvbiB0byBvcGVuc3NsIG9yIG90aGVyIHNv bHV0aW9uPw0KDQo8L3NwYW4+PC9zcGFuPjwvc3Bhbj4NCiAgPGRpdiBjbGFzcz0ibW96LXNp Z25hdHVyZSI+LS0gPGJyPlRoYW5rcywgUm9iZXJ0PGJyPg0KPGJyPg0KICA8L2Rpdj4NCjwv Ym9keT4NCjwvaHRt bD4= --------------2E43597E7EA4350BFCEBE5A6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54c94101-0930-dddf-4d66-1516b6d870b1>