OpenSSL Security Advisory [11 Jun 2015]
michelle at sorbs.net
Fri Jun 12 12:01:35 UTC 2015
Andrea Venturoli wrote:
> On 06/12/15 01:34, Michelle Sullivan wrote:
>> Roger Marquis wrote:
>>> The ports-secteam knows about this but posting here in case someone
>>> wants to
>>> update ahead of the port, from this morning's Hackernews:
>> *wonders how this will affect 8.x & 9.x* (seems to be no fix for 0.9.8
>> which 8.4 and 9.3 has 0.9.8zd in base - i expect 8.4 to get ignored as
>> it EoLs on Jun 30, 2015, but 9.3 EoLs on Dec 31, 2016)
> Sorry for jumping in...
> As I understood it, this new version will just do what one can
> manually do by tweaking configuration files (i.e. disable weak
> ciphers/short keys).
> Is it so?
> In other words, servers can be secured without applying this patch; on
> the other hand, simply upgrading makes the job easier and will also
> fix some daemon you might have forgotten.
> Am I right?
> Can someone please confirm or deny?
Theoretically yes... In practice I *think* it's no for OpenSSL <=
1.0.0 the config options will stop most of the issues but that's not
the end of the story as DH = 1024 seems to be still present on any
config that doesn't break most things when using openssl 0.9.8 (which
could be partly because it doesn't support TLS v1.1 or v1.2... and
therefore doesn't have the 'secure renegotiation' option/fix which I
believe is not fixable in TLS 1.0 - which is why SSL Labs now will not
rate any site not supporting TLS v1.2 over a 'C'.)
Either way I think it's either manually patch 0.9.8 for DH 2048/4096
(there are a couple floating around) or more preferably upgrade to
1.0.2b in base (which will make a lot of people happy!)
More information about the freebsd-ports