From nobody Thu Oct 19 13:27:44 2023 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SB7nL0b5yz4xS1Z for ; Thu, 19 Oct 2023 13:27:50 +0000 (UTC) (envelope-from robert@webtent.org) Received: from mx3.webtent.net (mx3.webtent.net [208.38.145.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4SB7nK1LvHz4NRH for ; Thu, 19 Oct 2023 13:27:49 +0000 (UTC) (envelope-from robert@webtent.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=webtent.org header.s=201611 header.b=YIZE64ke; spf=pass (mx1.freebsd.org: domain of robert@webtent.org designates 208.38.145.5 as permitted sender) smtp.mailfrom=robert@webtent.org; dmarc=pass (policy=reject) header.from=webtent.org Received: from localhost (localhost [127.0.0.1]) by mx3.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange) with ESMTP id 1AF77D7A37 for ; Thu, 19 Oct 2023 09:27:48 -0400 (EDT) Received: from mx3.webtent.net ([127.0.0.1]) by localhost (mx3.webtent.net [127.0.0.1]) (maiad, port 10024) with ESMTP id 09246-08 for ; Thu, 19 Oct 2023 09:27:47 -0400 (EDT) Received: from [192.168.1.50] (ns2.webtent.net [144.129.73.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: robert@mx3.webtent.net) by mx3.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange) with ESMTPSA id 3D296D79A5 for ; Thu, 19 Oct 2023 09:27:47 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=webtent.org; s=201611; t=1697722067; bh=hz+dccXgz8XhTQpW1mf6sgtBu4+Is8ipiKTDyiZorGA=; h=Subject:To:References:From:Date:In-Reply-To; b=YIZE64ke1yOL4yS/Y890OWlI2yaE9pfTfNWri15LpB/0Hbq+WWH+gEvTjQeaTnK+f fzvJeyRbp2lKtRcsq4nO0o/YutLpwPw1a4fIGAnFwtHomCxV36FHIaY0i/bOZl1L6U M58ed2suZ2tNd8zDgJaNS+rRdj05SK6NM1kiA23NZSZekvPqIvhPLfG8bWoYwCHJc/ 3FMxd/k0R/RtkdeE8ym6oCkR841K/Ny84wAnBT1DFb03CBCTWNw8vYw+c+cCtk5k+s gs/AvWnXgflweQfXVQXMF3FPRLJWzdtHqhySzzZnH6K2f7PS5aDQeEfLrdeuqkb9ws rZKFLHqVaAWVw== Subject: Re: SSL/TLS remove/disable renegotiation capabilities To: FreeBSD References: <54c94101-0930-dddf-4d66-1516b6d870b1@webtent.org> From: Robert Fitzpatrick Message-ID: <333aa0a9-c0ba-b29c-780d-359016dd31de@webtent.org> Date: Thu, 19 Oct 2023 09:27:44 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/7.0.60 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 In-Reply-To: <54c94101-0930-dddf-4d66-1516b6d870b1@webtent.org> Content-Type: multipart/alternative; boundary="------------4D15F58DC8D9DF92BF8F32C9" Content-Language: en-US X-Virus-Scanned: WebTent Mailguard 1.0.4_3 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.56 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MIME_BASE64_TEXT_BOGUS(1.00)[]; NEURAL_HAM_SHORT(-0.96)[-0.959]; DMARC_POLICY_ALLOW(-0.50)[webtent.org,reject]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCVD_IN_DNSWL_MED(-0.20)[208.38.145.5:from]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[webtent.org:s=201611]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MIME_BASE64_TEXT(0.10)[]; FREEFALL_USER(0.00)[robert]; FROM_HAS_DN(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:16724, ipnet:208.38.144.0/22, country:US]; TO_DN_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROM(0.00)[]; DKIM_TRACE(0.00)[webtent.org:+]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org] X-Rspamd-Queue-Id: 4SB7nK1LvHz4NRH This is a multi-part message in MIME format. --------------4D15F58DC8D9DF92BF8F32C9 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit > Robert Fitzpatrick > Thursday, October 19, 2023 9:18 AM > As a result of a recent vulnerability scan using the GVM 22.4 scanning > FreeBSD 13.2, it is recommended to remove/disable renegotiation > capabilities altogether from/in the affected SSL/TLS service for a > MEDIUM vulnerability CVE-2011-1473. Looking further t the CVE shows > DISPUTED, furthermore, it looks like our version of OpenSSL is not > affected? robert@gvm:~$ openssl version OpenSSL 3.0.2 15 Mar 2022 > (Library: OpenSSL 3.0.2 15 Mar 2022) CVE: > http://cve.circl.lu/cve/CVE-2011-1473 The host manager of the FreeBSD > VM will want this mitigated, how could I apply the > |SSL_OP_NO_RENEGOTIATION|option to openssl or other solution? Actually, this is the result of a second CVE: http://cve.circl.lu/cve/CVE-2011-5094 -- Thanks, Robert --------------4D15F58DC8D9DF92BF8F32C9 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 PGh0bWwgdGhlbWU9ImRlZmF1bHQtbGlnaHQiIGljb25zZXQ9ImNvbG9yIj48aGVhZD4NCjxt ZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFy c2V0PXV0Zi04Ij4NCjwvaGVhZD48Ym9keSB0ZXh0PSIjMDAwMDAwIj48c3Bhbj48L3NwYW4+ PGJyPg0KPGJsb2NrcXVvdGUgdHlwZT0iY2l0ZSIgDQpjaXRlPSJtaWQ6NTRjOTQxMDEtMDkz MC1kZGRmLTRkNjYtMTUxNmI2ZDg3MGIxQHdlYnRlbnQub3JnIiANCnN0eWxlPSJib3JkZXI6 IDBweCBub25lICEgaW1wb3J0YW50OyI+DQogIDxkaXYgeG1sbnM9Imh0dHA6Ly93d3cudzMu b3JnLzE5OTkveGh0bWwiIGNsYXNzPSJfX3BiQ29udkhyIiANCnN0eWxlPSJtYXJnaW46MzBw eCAyNXB4IDEwcHggMjVweDsiPjxkaXYgDQpzdHlsZT0id2lkdGg6MTAwJTtib3JkZXItdG9w OjJweCBzb2xpZCANCnJnYmEoMTQ2LDE1NCwxNjMsMC43KTtwYWRkaW5nLXRvcDoxMHB4OyI+ ICAgPGRpdiANCnN0eWxlPSJkaXNwbGF5OmlubGluZS1ibG9jazt3aGl0ZS1zcGFjZTpub3dy YXA7dmVydGljYWwtYWxpZ246bWlkZGxlO3dpZHRoOjQ5JTsiPg0KICAgCTxhIHN0eWxlPSJj b2xvcjojNDg1NjY0IA0KIWltcG9ydGFudDtwYWRkaW5nLXJpZ2h0OjZweDtmb250LXdlaWdo dDo1MDA7dGV4dC1kZWNvcmF0aW9uOm5vbmUgDQohaW1wb3J0YW50OyIgaHJlZj0ibWFpbHRv OnJvYmVydEB3ZWJ0ZW50Lm9yZyIgbW96LWRvLW5vdC1zZW5kPSJ0cnVlIj5Sb2JlcnQNCiBG aXR6cGF0cmljazwvYT48L2Rpdj4gICA8ZGl2IA0Kc3R5bGU9ImRpc3BsYXk6aW5saW5lLWJs b2NrO3doaXRlLXNwYWNlOm5vd3JhcDt2ZXJ0aWNhbC1hbGlnbjptaWRkbGU7d2lkdGg6NDgl O3RleHQtYWxpZ246DQogcmlnaHQ7Ij4gICAgIDxmb250IGNvbG9yPSIjOTA5QUE0Ij48c3Bh biBzdHlsZT0icGFkZGluZy1sZWZ0OjZweCI+VGh1cnNkYXksDQogT2N0b2JlciAxOSwgMjAy MyA5OjE4IEFNPC9zcGFuPjwvZm9udD48L2Rpdj4gICAgPC9kaXY+PC9kaXY+DQogIDxkaXYg eG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiIGNsYXNzPSJfX3BiQ29udkJv ZHkiIA0KX19wYnJtcXVvdGVzPSJ0cnVlIiANCnN0eWxlPSJjb2xvcjojOTA5QUE0O21hcmdp bi1sZWZ0OjI0cHg7bWFyZ2luLXJpZ2h0OjI0cHg7Ij4NCjxtZXRhIGh0dHAtZXF1aXY9ImNv bnRlbnQtdHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCkFzIGEg cmVzdWx0IG9mIGEgcmVjZW50IHZ1bG5lcmFiaWxpdHkgc2NhbiB1c2luZyB0aGUgR1ZNIDIy LjQgc2Nhbm5pbmcgDQpGcmVlQlNEIDEzLjIsIGl0IGlzIHJlY29tbWVuZGVkIDxzcGFuIHN0 eWxlPSJjb2xvcjogcmdiKDAsIDAsIDApOyBmb250LWZhbWlseTogVmVyZGFuYSwgc2Fucy1z ZXJpZjsgZm9udC1zaXplOiAxMnB4OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFu dC1saWdhdHVyZXM6IG5vcm1hbDsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgZm9udC13 ZWlnaHQ6IDQwMDsgbGV0dGVyLXNwYWNpbmc6IG5vcm1hbDsgb3JwaGFuczogMjsgdGV4dC1h bGlnbjogbGVmdDsgdGV4dC1pbmRlbnQ6IDBweDsgdGV4dC10cmFuc2Zvcm06IG5vbmU7IHdp ZG93czogMjsgd29yZC1zcGFjaW5nOiAwcHg7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6 IDBweDsgd2hpdGUtc3BhY2U6IHByZS1saW5lOyBiYWNrZ3JvdW5kLWNvbG9yOiByZ2IoMjU1 LCAyNTUsIDI1NSk7IHRleHQtZGVjb3JhdGlvbi10aGlja25lc3M6IGluaXRpYWw7IHRleHQt ZGVjb3JhdGlvbi1zdHlsZTogaW5pdGlhbDsgdGV4dC1kZWNvcmF0aW9uLWNvbG9yOiBpbml0 aWFsOyBkaXNwbGF5OiBpbmxpbmUgIWltcG9ydGFudDsgZmxvYXQ6IG5vbmU7Ij4gdG8gcmVt b3ZlL2Rpc2FibGUgcmVuZWdvdGlhdGlvbiBjYXBhYmlsaXRpZXMgYWx0b2dldGhlciBmcm9t L2luIHRoZSBhZmZlY3RlZCBTU0wvVExTIHNlcnZpY2UgZm9yIGEgTUVESVVNIHZ1bG5lcmFi aWxpdHkgQ1ZFLTIwMTEtMTQ3My4gTG9va2luZyBmdXJ0aGVyIHQgdGhlIENWRSBzaG93cyBE SVNQVVRFRCwgZnVydGhlcm1vcmUsIGl0IGxvb2tzIGxpa2Ugb3VyIHZlcnNpb24gb2YgT3Bl blNTTCBpcyBub3QgYWZmZWN0ZWQ/DQoNCnJvYmVydEBndm06fiQgb3BlbnNzbCB2ZXJzaW9u DQpPcGVuU1NMIDMuMC4yIDE1IE1hciAyMDIyIChMaWJyYXJ5OiBPcGVuU1NMIDMuMC4yIDE1 IE1hciAyMDIyKQ0KDQpDVkU6IDxhIGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhy ZWY9Imh0dHA6Ly9jdmUuY2lyY2wubHUvY3ZlL0NWRS0yMDExLTE0NzMiIG1vei1kby1ub3Qt c2VuZD0idHJ1ZSI+aHR0cDovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMTEtMTQ3MzwvYT4N Cg0KVGhlIGhvc3QgbWFuYWdlciBvZiB0aGUgRnJlZUJTRCBWTSB3aWxsIHdhbnQgdGhpcyBt aXRpZ2F0ZWQsIGhvdyBjb3VsZCBJIGFwcGx5IHRoZSA8L3NwYW4+PGJyPg0KICA8c3BhbiBz dHlsZT0iY29sb3I6IHJnYigwLCAwLCAwKTsgZm9udC1mYW1pbHk6IFZlcmRhbmEsIHNhbnMt c2VyaWY7IGZvbnQtc2l6ZTogMTJweDsgZm9udC1zdHlsZTogbm9ybWFsOyBmb250LXZhcmlh bnQtbGlnYXR1cmVzOiBub3JtYWw7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IGZvbnQt d2VpZ2h0OiA0MDA7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IG9ycGhhbnM6IDI7IHRleHQt YWxpZ246IGxlZnQ7IHRleHQtaW5kZW50OiAwcHg7IHRleHQtdHJhbnNmb3JtOiBub25lOyB3 aWRvd3M6IDI7IHdvcmQtc3BhY2luZzogMHB4OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRo OiAwcHg7IHdoaXRlLXNwYWNlOiBwcmUtbGluZTsgYmFja2dyb3VuZC1jb2xvcjogcmdiKDI1 NSwgMjU1LCAyNTUpOyB0ZXh0LWRlY29yYXRpb24tdGhpY2tuZXNzOiBpbml0aWFsOyB0ZXh0 LWRlY29yYXRpb24tc3R5bGU6IGluaXRpYWw7IHRleHQtZGVjb3JhdGlvbi1jb2xvcjogaW5p dGlhbDsgZGlzcGxheTogaW5saW5lICFpbXBvcnRhbnQ7IGZsb2F0OiBub25lOyI+PGNvZGUg c3R5bGU9Im1hcmdpbjogMHB4OyBwYWRkaW5nOiB2YXIoLS1zdTIpIHZhcigtLXN1NCk7IGJv cmRlcjogMHB4OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudC1saWdhdHVyZXM6 IG5vcm1hbDsgZm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgZm9udC12YXJpYW50LW51bWVy aWM6IGluaGVyaXQ7IGZvbnQtdmFyaWFudC1lYXN0LWFzaWFuOiBpbmhlcml0OyBmb250LXZh cmlhbnQtYWx0ZXJuYXRlczogaW5oZXJpdDsgZm9udC12YXJpYW50LXBvc2l0aW9uOiBpbmhl cml0OyBmb250LXdlaWdodDogNDAwOyBmb250LXN0cmV0Y2g6IGluaGVyaXQ7IGxpbmUtaGVp Z2h0OiBpbmhlcml0OyBmb250LWZhbWlseTogdmFyKC0tZmYtbW9ubyk7IGZvbnQtb3B0aWNh bC1zaXppbmc6IGluaGVyaXQ7IGZvbnQta2VybmluZzogaW5oZXJpdDsgZm9udC1mZWF0dXJl LXNldHRpbmdzOiBpbmhlcml0OyBmb250LXZhcmlhdGlvbi1zZXR0aW5nczogaW5oZXJpdDsg Zm9udC1zaXplOiB2YXIoLS1fcHItY29kZS1mcyk7IHZlcnRpY2FsLWFsaWduOiBiYXNlbGlu ZTsgYm94LXNpemluZzogaW5oZXJpdDsgYmFja2dyb3VuZC1jb2xvcjogdmFyKC0tYmxhY2st MDc1KTsgd2hpdGUtc3BhY2U6IHByZS13cmFwOyBjb2xvcjogcmdiKDM1LCAzOCwgNDEpOyBi b3JkZXItcmFkaXVzOiB2YXIoLS1ici1zbSk7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IG9y cGhhbnM6IDI7IHRleHQtYWxpZ246IGxlZnQ7IHRleHQtaW5kZW50OiAwcHg7IHRleHQtdHJh bnNmb3JtOiBub25lOyB3aWRvd3M6IDI7IHdvcmQtc3BhY2luZzogMHB4OyAtd2Via2l0LXRl eHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHRleHQtZGVjb3JhdGlvbi10aGlja25lc3M6IGluaXRp YWw7IHRleHQtZGVjb3JhdGlvbi1zdHlsZTogaW5pdGlhbDsgdGV4dC1kZWNvcmF0aW9uLWNv bG9yOiBpbml0aWFsOyI+U1NMX09QX05PX1JFTkVHT1RJQVRJT048L2NvZGU+PHNwYW4gc3R5 bGU9ImNvbG9yOiByZ2IoMzUsIDM4LCA0MSk7IGZvbnQtZmFtaWx5OiAtYXBwbGUtc3lzdGVt LCBCbGlua01hY1N5c3RlbUZvbnQsICZxdW90O1NlZ29lIFVJIEFkanVzdGVkJnF1b3Q7LCAm cXVvdDtTZWdvZSBVSSZxdW90OywgJnF1b3Q7TGliZXJhdGlvbiBTYW5zJnF1b3Q7LCBzYW5z LXNlcmlmOyBmb250LXNpemU6IDE1cHg7IGZvbnQtc3R5bGU6IG5vcm1hbDsgZm9udC12YXJp YW50LWxpZ2F0dXJlczogbm9ybWFsOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyBmb250 LXdlaWdodDogNDAwOyBsZXR0ZXItc3BhY2luZzogbm9ybWFsOyBvcnBoYW5zOiAyOyB0ZXh0 LWFsaWduOiBsZWZ0OyB0ZXh0LWluZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsg d2lkb3dzOiAyOyB3b3JkLXNwYWNpbmc6IDBweDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0 aDogMHB4OyB3aGl0ZS1zcGFjZTogbm9ybWFsOyBiYWNrZ3JvdW5kLWNvbG9yOiByZ2IoMjU1 LCAyNTUsIDI1NSk7IHRleHQtZGVjb3JhdGlvbi10aGlja25lc3M6IGluaXRpYWw7IHRleHQt ZGVjb3JhdGlvbi1zdHlsZTogaW5pdGlhbDsgdGV4dC1kZWNvcmF0aW9uLWNvbG9yOiBpbml0 aWFsOyBkaXNwbGF5OiBpbmxpbmUgIWltcG9ydGFudDsgZmxvYXQ6IG5vbmU7Ij48c3Bhbj4g b3B0aW9uIHRvIG9wZW5zc2wgb3Igb3RoZXIgc29sdXRpb24/DQoNCjwvc3Bhbj48L3NwYW4+ PC9zcGFuPg0KICANCg0KDQoNCiAgPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQpBY3R1YWxseSwg dGhpcyBpcyB0aGUgcmVzdWx0IG9mIGEgc2Vjb25kIENWRTogDQo8YSBjbGFzcz0ibW96LXR4 dC1saW5rLWZyZWV0ZXh0IiBocmVmPSJodHRwOi8vY3ZlLmNpcmNsLmx1L2N2ZS9DVkUtMjAx MS01MDk0Ij5odHRwOi8vY3ZlLmNpcmNsLmx1L2N2ZS9DVkUtMjAxMS01MDk0PC9hPjxicj4N Cjxicj4NCjxkaXYgY2xhc3M9Im1vei1zaWduYXR1cmUiPi0tIDxicj5UaGFua3MsIFJvYmVy dDxicj4NCjxicj4NCjwvZGl2Pg0KPC9ib2R5PjwvaHRt bD4= --------------4D15F58DC8D9DF92BF8F32C9--