Date: Fri, 12 Jun 2015 14:01:31 +0200 From: Michelle Sullivan <michelle@sorbs.net> To: Andrea Venturoli <ml@netfence.it> Cc: marquis@roble.com, freebsd-ports@freebsd.org, secteam@FreeBSD.org Subject: Re: OpenSSL Security Advisory [11 Jun 2015] Message-ID: <557ACA1B.40001@sorbs.net> In-Reply-To: <557A7E17.5040304@netfence.it> References: <20150611183848.2D328F4C@hub.freebsd.org> <557A1B16.3060606@sorbs.net> <557A7E17.5040304@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrea Venturoli wrote: > On 06/12/15 01:34, Michelle Sullivan wrote: >> Roger Marquis wrote: >>> The ports-secteam knows about this but posting here in case someone >>> wants to >>> update ahead of the port, from this morning's Hackernews: >>> >>> <https://www.openssl.org/news/secadv_20150611.txt>; >>> >> >> *wonders how this will affect 8.x & 9.x* (seems to be no fix for 0.9.8 >> which 8.4 and 9.3 has 0.9.8zd in base - i expect 8.4 to get ignored as >> it EoLs on Jun 30, 2015, but 9.3 EoLs on Dec 31, 2016) >> >> Michelle >> > > Sorry for jumping in... > As I understood it, this new version will just do what one can > manually do by tweaking configuration files (i.e. disable weak > ciphers/short keys). > Is it so? > > In other words, servers can be secured without applying this patch; on > the other hand, simply upgrading makes the job easier and will also > fix some daemon you might have forgotten. > Am I right? > > Can someone please confirm or deny? Theoretically yes... In practice I *think* it's no for OpenSSL <= 1.0.0 the config options will stop most of the issues but that's not the end of the story as DH = 1024 seems to be still present on any config that doesn't break most things when using openssl 0.9.8 (which could be partly because it doesn't support TLS v1.1 or v1.2... and therefore doesn't have the 'secure renegotiation' option/fix which I believe is not fixable in TLS 1.0 - which is why SSL Labs now will not rate any site not supporting TLS v1.2 over a 'C'.) Either way I think it's either manually patch 0.9.8 for DH 2048/4096 (there are a couple floating around) or more preferably upgrade to 1.0.2b in base (which will make a lot of people happy!) -- Michelle Sullivan http://www.mhix.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?557ACA1B.40001>