On Sat, May 16, 2015, at 01:38, Dan Lukes wrote: > Mark Felder wrote: > >> Base OpenSSL in still supported releases is too old version and doesn't > >> support TLS 1.2 as well. > >> > >> Either TLS 1.0 is so insecure and should not be used, or is secure > >> enough for FreeBSD. > > > When the FreeBSD 8.0 (2009) and 9.0 (2012) releases were cut we didn't > > have these vulnerabilities or problems. > > All security patches are released because of something discovered after > release. So it is nothing new nor special. > > But it's not the matter of my comment. > > As far as I know, there has been no discussion on FreeBSD Security > related to fact that FreeBSD 9 will not receive security patches for > particular known security issue. Nor even announcement, if it has been > considered no topic for discussion here. > > So I'm confused (as claimed in previous comment). Other the issue is not > so severe, then I don't understand why TLS 1.0 needs to be disabled on > forums. Or it is so severe so I don't understand why there is still no > Security Advisory dedicated to it. Well, there may be no solution known > - but even in such case the issue should be announced. > >
You're not understanding the situation: the vulnerability isn't in OpenSSL; it's a design flaw / weakness in the protocol. This is why everyone is running like mad from SSL 3.0 and TLS 1.0. If you want a fix for your entire OS, upgrade to FreeBSD 10 which has a newer version of OpenSSL in base that includes TLS 1.1 and 1.2. It's not ABI compatible with older versions. You can't just wedge it into FreeBSD 8 or 9. Sorry. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
