Forums.FreeBSD.org - SSL Issue?
Dan Lukes
dan at obluda.cz
Sun May 17 23:06:22 UTC 2015
On 05/18/15 00:00, Mark Felder:
>> If TLS 1.0 is considered severe security issue AND system utilities are
>> using it, why there is no Security Advisory describing this system
>> vulnerability ?
>>
>
> It's not a vulnerability in software, it's weakness in the protocol
> design.
Like protocol protocol downgrade triggered by MITM attack flaw or
protocol design flaw in session renegotiation support. The first one
addressed in FreeBSD-SA-14:23.openssl, the second one in
FreeBSD-SA-09:15.ssl
So the "is it protocol flaw or implementation bug" seems not to be true
major criteria.
OK, I wish I got best answer to my question possible. I'm not going to
discuss SA issuing policy in this thread.
Thank you.
Dan
More information about the freebsd-security
mailing list