FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
Colin Percival
cperciva at freebsd.org
Tue Oct 11 09:26:48 PDT 2005
Ian G wrote:
> FreeBSD Security Advisories wrote:
>> Applications which do not support SSLv2, have been configured to not
>> permit the use of SSLv2, or do not use the SSL_OP_MSIE_SSLV2_RSA_PADDING
>> or SSL_OP_ALL options are not affected.
>>
>> IV. Workaround
>>
>> No workaround is available.
>
> Isn't the workaround obviously to switch off V2?
Disabling applications to not permit use of SSLv2 is a
workaround. However, this is something which needs to
be done on an application-by-application basis, and it
is likely that there will be some applications will do
not have any option for doing this.
> In the phishing world - where users are being
> exposed to losses in the billion dollar range
> or so - we are crying out for the removal of v2.
> Can this be done?
SSL is supposed to negotiate the use of SSLv3 if it is
supported by both the client and the server, so I don't
see why disabling SSLv2 entirely would be useful aside
from protecting against this vulnerability.
Colin Percival
More information about the freebsd-security
mailing list