Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl

Ian G wrote:
> FreeBSD Security Advisories wrote:
>> Applications which do not support SSLv2, have been configured to not
>> permit the use of SSLv2, or do not use the SSL_OP_MSIE_SSLV2_RSA_PADDING
>> or SSL_OP_ALL options are not affected.
>>
>> IV.  Workaround
>>
>> No workaround is available.
> 
> Isn't the workaround obviously to switch off V2?

Disabling applications to not permit use of SSLv2 is a
workaround.  However, this is something which needs to
be done on an application-by-application basis, and it
is likely that there will be some applications will do
not have any option for doing this.

> In the phishing world - where users are being
> exposed to losses in the billion dollar range
> or so - we are crying out for the removal of v2.
> Can this be done?

SSL is supposed to negotiate the use of SSLv3 if it is
supported by both the client and the server, so I don't
see why disabling SSLv2 entirely would be useful aside
from protecting against this vulnerability.

Colin Percival
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"