[Pkg-openssl-devel] [Netscape/OpenSSL Cipher Forcing Bug]
Jürgen Heil
heil at qenta.at
Mon May 18 06:36:27 UTC 2009
Kurt,
thank you for your response. I sent a bug report to submit at bugs.debian.org
as you recommended.
Thank you very much!
Juergen
> -----Ursprüngliche Nachricht-----
> Von: pkg-openssl-devel-bounces+heil=qenta.at at lists.alioth.debian.org
> [mailto:pkg-openssl-devel-
> bounces+heil=qenta.at at lists.alioth.debian.org] Im Auftrag von Kurt
> Roeckx
> Gesendet: Mittwoch, 13. Mai 2009 21:51
> An: Package Development List for OpenSSL packages.
> Betreff: Re: [Pkg-openssl-devel] [Netscape/OpenSSL Cipher Forcing Bug]
>
> On Tue, May 12, 2009 at 11:49:44AM +0200, Jürgen Heil wrote:
> > Hi everybody,
> >
> > we do security scans on a regular basis. The mentioned OpenSSL bug
> has
> > always been listed as a Level 2 Vulnerability (Qualys) since
> yesterday. Now
> > it is listed as a level 3 Vulnerability which is not compliant to the
> PCI
> > DSS requirements.
>
> Do you have an URL for that? Does it have a CVE number?
>
> > # Diagnosis
> > Netscape's SSLv3 implementation had a bug where if a SSLv3 connection
> is
> > initially established, the first available cipher is used. If a
> session is
> > resumed, a different cipher may be chosen if it appears in the passed
> cipher
> > list before the session's current cipher. This bug can be used to
> change
> > ciphers on the server. OpenSSL contains this bug if the
> > SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is enabled during
> runtime.
> > This option was introduced for compatibility reasons. The problem
> arises
> > when different applications using OpenSSL's libssl library enable all
> > compatibility options including
> SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG,
> > thus enabling the bug.
>
> So the question is if you have any application that enable this,
> like maybe apache?
>
> > # Solution
> > This problem can be fixed by disabling the SSL OP NETSCAPE REUSE
> > CIPHER_CHANGE_BUG option from the options list of OpenSSL's libssl
> library.
> > This can be done by replacing the SSL OP ALL definition in the
> openssl/ssl.h
> > file with the following line:
> >
> > #define SSL OP ALL
> (0x00000FFFL^SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
> >
> > The library and all programs using this library need to be recompiled
> to
> > ensure that the correct OpenSSL library is used during linking.
>
> The library does not need to be rebuild for that, but all
> applications should. An other way it to patch openssl
> not to support it at all, and then you'll only have to
> update the library.
>
> > Can anyone please tell me if this problem has been addressed in past
> > releases of the openssl package? Or if it is gonna be addressed in
> future
> > releases?
>
> Nobody filed a bug against the Debian package yet, and upstream
> seems to know about this for 5 years. If you want to see
> this fixed, I suggest with starting to file a bug against
> the debian libssl0.9.8 package.
>
>
> Kurt
>
>
> _______________________________________________
> Pkg-openssl-devel mailing list
> Pkg-openssl-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-openssl-devel
More information about the Pkg-openssl-devel
mailing list