I had brought this issue up earlier ("Windows 7/IE8 CAC enabled sites"). With
SSL 3.0 only checked on IE8 (in windows 7), I could make a connection to my
site that had OpenSSL 1.0.0g. With both SSL 3.0 AND TLS 1.0 checked, I could
not make a connection. We rolled back versions of OpenSSL until we got to
0.9.8r which could make a connection with both protocols enabled on the
browser...
Will there be a version that will address MS12-006? TLS1.1? TLS1.2?
Curtis N. Tammany
Lead Web Application Developer, National Security & Defense
Systems Engineering and Technology
URS
16156 Dahlgren Road
Dahlgren, Virginia, 22448
curtis.tamm...@urs.com
540.663.9507
-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Jakob Bohm
Sent: Wednesday, February 29, 2012 08:44
To: openssl-users@openssl.org
Subject: Re: OpenSSL & "Security Update for Windows Server 2008 R2 x 64 Edition
(KB2585542)"
On 2/29/2012 12:22 AM, Michael D wrote:
> Security Update for Windows Server 2008 R2 x 64 Edition (KB2585542)
> http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=28629
That page only instructs how to download the update
file for that particular build of Windows.
The real meat of the description is in
KB2643584 http://support.microsoft.com/kb/2643584
which (directly and indirectly) refers to
For SSL 3.0: RFC6101 Paragraph 5.2.1
http://tools.ietf.org/html/rfc6101#section-5.2.1
For TLS 1.0: RFC2246 Paragraph 6.2.1
http://tools.ietf.org/html/rfc2246#section-6.2.1
MS12-006
http://technet.microsoft.com/en-us/security/bulletin/ms12-006
CVE-2011-3389
Basically, this update causes Microsoft's own SSL library (SCHANNEL)
to split some data records in cases permitted but not required by
the SSL/TLS standards in order to avoid a known attack on the
standard protocol without this extra splitting. This extra splitting
is done only if SCHANNEL is called with an extra option bit, which
other updates have then added to some other Microsoft products (such
as Internet Explorer and the unrelated WinHTTP curl-like library).
Microsoft warns deep down in KB2643584 that some applications cannot
cope with receiving the split packets and suggests using a new system
setting to TEMPORARILY force disable the splitting until such
applications have been fixed in your particular setup.
>
>
> Does anybody have any experience with this security patch?
>
> It seems to affect older versions of openssl (0.9.7 or so)... does anybody
> have experience with newer
> versions?
>
> [Basically after the patch is added..older openssl versions can't maintain a
> connection]
In relation to OpenSSL, the following 3 questions remain open:
1. Are any versions of OpenSSL's own protocol library code unable
to cope with the CVE-2011-3389 additional record splitting?
2. Are any versions of OpenSSL's utility and command line programs
(such as s_client and s_server) unable to cope with the CVE-2011-3389
additional record splitting in cases where OpenSSL itself copes just
fine?
3. Is the application you use with OpenSSL unable to cope with the
CVE-2011-3389 additional record splitting in cases where OpenSSL
itself copes just fine?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
