On Sat, May 16, 2015, at 01:38, Dan Lukes wrote:> Mark Felder wrote:
> >> Base OpenSSL in still supported releases is too old version and
doesn't
> >> support TLS 1.2 as well.
> >>
> >> Either TLS 1.0 is so insecure and should not be used, or is secure
> >> enough for FreeBSD.
>
> > When the FreeBSD 8.0 (2009) and 9.0 (2012) releases were cut we
didn't
> > have these vulnerabilities or problems.
>
> All security patches are released because of something discovered after
> release. So it is nothing new nor special.
>
> But it's not the matter of my comment.
>
> As far as I know, there has been no discussion on FreeBSD Security
> related to fact that FreeBSD 9 will not receive security patches for
> particular known security issue. Nor even announcement, if it has been
> considered no topic for discussion here.
>
> So I'm confused (as claimed in previous comment). Other the issue is
not
> so severe, then I don't understand why TLS 1.0 needs to be disabled on
> forums. Or it is so severe so I don't understand why there is still no
> Security Advisory dedicated to it. Well, there may be no solution known
> - but even in such case the issue should be announced.
>
>
You're not understanding the situation: the vulnerability isn't in
OpenSSL; it's a design flaw / weakness in the protocol. This is why
everyone is running like mad from SSL 3.0 and TLS 1.0.
If you want a fix for your entire OS, upgrade to FreeBSD 10 which has a
newer version of OpenSSL in base that includes TLS 1.1 and 1.2. It's not
ABI compatible with older versions. You can't just wedge it into FreeBSD
8 or 9. Sorry.