What the Tech logo
Welcome! Register for a free account (or login) > How does it work?
  1. Quickly register. It will only take 60 seconds.
  2. Start a new topic. Ask your question. Wait for an email reply.
  3. Is your system infected? Begin reading the malware removal guide.
 register button
Reply to this topicStart new topic
> OpenSSL v0.9.8l released
AplusWebMaster
post Nov 6 2009, 07:11 PM
Post #1


AplusWebMaster
*****

Group: Authentic Member
Posts: 4,565
Joined: 30-December 03
From: USA
Member No.: 1,643
Operating System: XP/SP3
FYI...

New version of OpenSSL released - OpenSSL 0.9.8l
- http://isc.sans.org/diary.html?storyid=7543
Last Updated: 2009-11-06 22:43:05 UTC - "Due to the recent publishing of information regarding a TLS/SSL protocol vulnerability (previous ISC diary entry can be found here http://isc.sans.org/diary.html?storyid=7534 ) OpenSSL has released a new version (OpenSSL 0.9.8l). It should be noted that this update does not "fix" the vulnerability in the protocol. It appears that they have made the choice to simply remove TLS/SSL renegotiation from their package by default... There will no doubt be instances where clients/servers will cease to function properly when renegotiation is disabled or removed. The nice thing about what OpenSSL has done is if you do run into issues, it appears to be an easy fix (set a flag and -hup!). So as always, make sure to test vigorously before you deploy! You can get this new version of OpenSSL at the link below:
http://www.openssl.org/source/
Release note from OpenSSL package:
'Disable renegotiation completely - this fixes a severe security problem (CVE-2009-3555) at the cost of breaking all renegotiation. Renegotiation can be re-enabled by setting SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at run-time. This is really not recommended unless you know what you're doing. [Ben Laurie]'
... Let us not forget that not all traffic that is TLS/SSL encrypted is HTTP. Just off the top of my head I can think of LDAP, MSSQL, Email, and let us not forget SSL VPNS! Since this is a bug in a low lying protocol that higher level applications/protocols rely on there will no doubt be allot of interest issues raised. No doubt plenty of people including myself will have a busy weekend rereading the TLS specification. For those who are bored, feel free to read that specification at the URL below:
TLS 1.0: http://www.ietf.org/rfc/rfc2246.txt
SSL 3.0: http://tools.ietf.org/html/draft-ietf-tls-ssl-version3-00 "

- http://www.us-cert.gov/current/#ssl_and_tls_vulnerable_to
November 6, 2009

- http://blogs.iss.net/archive/stealingcookieswiths.html
November 12, 2009

ph34r.gif

This post has been edited by AplusWebMaster: Nov 16 2009, 04:22 AM
Go to the top of the page
 
+Quote Post

Posts in this topic
- AplusWebMaster   OpenSSL v0.9.8l released   Nov 6 2009, 07:11 PM
- - AplusWebMaster   FYI... OpenVPN fixed OpenSSL session renegotiatio...   Nov 17 2009, 01:51 PM

« Next Oldest · Updates To Software · Next Newest »
 

Reply to this topicStart new topic

 
RSS Time is now: 16th March 2010 - 04:01 PM
Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.
Member site: Alliance of Security Analysis Professionals | UNITE Against Malware
Memory Forums | Auto Repair Forum
© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy
Powered By IP.Board © 2010  IPS, Inc.