FreeBSD Security Advisory FreeBSD-SA-05:21.openssl

Jacques Vidrine jacques at vidrine.us
Tue Oct 11 09:47:23 PDT 2005 

[Trimmed cc: to just the appropriate public mailing list.]

On Oct 11, 2005, at 7:25 AM, Ian G wrote:
> FreeBSD Security Advisories wrote:
>
>
>> Applications which do not support SSLv2, have been configured to not
>> permit the use of SSLv2, or do not use the  
>> SSL_OP_MSIE_SSLV2_RSA_PADDING
>> or SSL_OP_ALL options are not affected.
>> IV.  Workaround
>> No workaround is available.
>>
>
> Isn't the workaround obviously to switch off V2?

Yes.  Sorry that wasn't mentioned.

> SSL v2 should be disabled anyway.  In the browser
> world we have been actively moving to a position
> of not delivering SSL v2 as enabled by default,
> and we've been telling people to switch off SSL
> v2 for some time in order to flush out any issues.
> (none reported that I know of.)
>
> We *desparately* need this done so that servers
> can be switched off SSL v2 so they can deliver
> the SSL v3 hello so that we can start to use
> virtual hosts.  The ability to use more SSL
> more frequently feeds into tools that defend
> against phishing because they rely on the use
> of certificates to cache identity;  so this is
> actually a highly desirable thing in security
> terms.
>
> In the phishing world - where users are being
> exposed to losses in the billion dollar range
> or so - we are crying out for the removal of v2.
> Can this be done?

I agree.  The SSLv3 specification was published in 1995 and quickly  
adopted.  Support for SSLv3 seemed pretty much ubiquitous by 1999.   
SSLv2 has several well-known cryptographic weakness with real impact  
and should not be used.  Summarizing [Rescorla 2000]:

* An attacker may interfere with the SSLv2 protocol negotiation in  
order to force the selection of a weak suite of cryptographic  
algorithms.  (This is the most severe problem for most installations,  
IMHO)

* An attacker may inject a TCP FIN packet into an active SSLv2  
session, causing data transfer to terminate.  This termination will  
not be detected by the client or server.

* The only message authentication code (MAC) algorithm available for  
SSLv2 is MD5.  There have been several developments that have caused  
some cryptographers to become concerned about the security of MD5.

* SSLv2 uses the same key for encryption and message authentication,  
so that any successful cryptographic attack is a total break.

* A design flaw in SSLv2 client authentication may allow an attacker  
to hijack a client's credentials.

I've been concerned enough to disable SSLv2 in most of my own  
installations.  But now that it is clear that there are downgrade-to- 
SSLv2 attacks in some versions of OpenSSL (and probably some other  
SSL/TLS implementations), I'm even more concerned.

Cheers,
-- 
Jacques Vidrine <jacques at vidrine.us>

[Rescorla 2000] Rescorla, Eric. _SSL and TLS: Designing and Building  
Secure Systems_. Addison-Wesley, 2000.

More information about the freebsd-security mailing list