Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
From: Jacques Vidrine (jacques_at_vidrine.us)
Date: Tue, 11 Oct 2005 09:45:53 -0700 To: Ian G <email@example.com>
[Trimmed cc: to just the appropriate public mailing list.]
On Oct 11, 2005, at 7:25 AM, Ian G wrote:
> FreeBSD Security Advisories wrote:
>> Applications which do not support SSLv2, have been configured to not
>> permit the use of SSLv2, or do not use the
>> or SSL_OP_ALL options are not affected.
>> IV. Workaround
>> No workaround is available.
> Isn't the workaround obviously to switch off V2?
Yes. Sorry that wasn't mentioned.
> SSL v2 should be disabled anyway. In the browser
> world we have been actively moving to a position
> of not delivering SSL v2 as enabled by default,
> and we've been telling people to switch off SSL
> v2 for some time in order to flush out any issues.
> (none reported that I know of.)
> We *desparately* need this done so that servers
> can be switched off SSL v2 so they can deliver
> the SSL v3 hello so that we can start to use
> virtual hosts. The ability to use more SSL
> more frequently feeds into tools that defend
> against phishing because they rely on the use
> of certificates to cache identity; so this is
> actually a highly desirable thing in security
> In the phishing world - where users are being
> exposed to losses in the billion dollar range
> or so - we are crying out for the removal of v2.
> Can this be done?
I agree. The SSLv3 specification was published in 1995 and quickly
adopted. Support for SSLv3 seemed pretty much ubiquitous by 1999.
SSLv2 has several well-known cryptographic weakness with real impact
and should not be used. Summarizing [Rescorla 2000]:
* An attacker may interfere with the SSLv2 protocol negotiation in
order to force the selection of a weak suite of cryptographic
algorithms. (This is the most severe problem for most installations,
* An attacker may inject a TCP FIN packet into an active SSLv2
session, causing data transfer to terminate. This termination will
not be detected by the client or server.
* The only message authentication code (MAC) algorithm available for
SSLv2 is MD5. There have been several developments that have caused
some cryptographers to become concerned about the security of MD5.
* SSLv2 uses the same key for encryption and message authentication,
so that any successful cryptographic attack is a total break.
* A design flaw in SSLv2 client authentication may allow an attacker
to hijack a client's credentials.
I've been concerned enough to disable SSLv2 in most of my own
installations. But now that it is clear that there are downgrade-to-
SSLv2 attacks in some versions of OpenSSL (and probably some other
SSL/TLS implementations), I'm even more concerned.
-- Jacques Vidrine <firstname.lastname@example.org> [Rescorla 2000] Rescorla, Eric. _SSL and TLS: Designing and Building Secure Systems_. Addison-Wesley, 2000. _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "firstname.lastname@example.org"