On Sat, May 16, 2015, at 01:38, Dan Lukes wrote:> Mark Felder wrote: > >> Base OpenSSL in still supported releases is too old version and doesn't > >> support TLS 1.2 as well. > >> > >> Either TLS 1.0 is so insecure and should not be used, or is secure > >> enough for FreeBSD. > > > When the FreeBSD 8.0 (2009) and 9.0 (2012) releases were cut we didn't > > have these vulnerabilities or problems. > > All security patches are released because of something discovered after > release. So it is nothing new nor special. > > But it's not the matter of my comment. > > As far as I know, there has been no discussion on FreeBSD Security > related to fact that FreeBSD 9 will not receive security patches for > particular known security issue. Nor even announcement, if it has been > considered no topic for discussion here. > > So I'm confused (as claimed in previous comment). Other the issue is not > so severe, then I don't understand why TLS 1.0 needs to be disabled on > forums. Or it is so severe so I don't understand why there is still no > Security Advisory dedicated to it. Well, there may be no solution known > - but even in such case the issue should be announced. > >You're not understanding the situation: the vulnerability isn't in OpenSSL; it's a design flaw / weakness in the protocol. This is why everyone is running like mad from SSL 3.0 and TLS 1.0. If you want a fix for your entire OS, upgrade to FreeBSD 10 which has a newer version of OpenSSL in base that includes TLS 1.1 and 1.2. It's not ABI compatible with older versions. You can't just wedge it into FreeBSD 8 or 9. Sorry.
> You're not understanding the situation: the vulnerability isn't in > OpenSSL; it's a design flaw / weakness in the protocol. This is why > everyone is running like mad from SSL 3.0 and TLS 1.0.Right, there are two issues being discussed that should be separated. The thread was originally about SSL version weaknesses and the rational for that (keeping v1.0 around for the near term) was described quite well. The second issue was regarding base and ports versions of openssl and how to coordinate between them. I recommended an openssl_base port so that security vulnerabilities (not necessarily protocol weaknesses) could be more easily remediated (than installworld) and so 'pkg audit' could report on those. It was asserted and reasserted that this would be infeasible, however, no example or reason was given. Considering the time to write and test patches is the same in either case it is still an open question. The problem of multiple versions of the same libraries and binaries, however, remains a weakness in the FreeBSD security model. This may be one of the reasons why the EU recently recommended more widespread adoption of OpenBSD (vs FreeBSD). Either way, it is a design flaw that can and should be solved in the most robust way possible. Roger
On 05/17/15 22:20, Mark Felder:> You're not understanding the situation: the vulnerability isn't in > OpenSSL; it's a design flaw / weakness in the protocol.Sorry, my English seems to be so poor so you don't understand my very simple question. You are still answering other questions I didn't asked. Last attempt. I will try ti make question as simple as possible. If it will not help I will become silent. TLS 1.0 *protocol* is buggy, new protocol has been implemented in new version of OpenSSL, but such version will not be imported into FreeBSD 9 because of ABI incompatibility. Instead old version of OpenSSL and vulnerable protocol is still used by base system libraries and utilities. So base system IS affected by known vulnerability. Thus I'm asking. If TLS 1.0 is considered severe security issue AND system utilities are using it, why there is no Security Advisory describing this system vulnerability ? Dan