Thanks for that piece of information, it wasn't at all clear
from the context and subject lines.
I do not know why MS KB2643584 does not mention changing TLS 1.1
and/or TLS 1.2 behavior, maybe someone familiar with the attack
described in CVE2011-3389 knows a reason.
My general guess at this time is that the MS workaround of
artificially splitting certain unspecified SSL records is not the
only way to fix CVE2011-3389 and that this particular workaround
has not been tested by the OpenSSL core team.
I hope that now that we have apparently tracked this to a general
MS implementation change which is unrelated to the restricted CAC
hardware, that figuring out the OpenSSL compatibility issue will
be a lot easier than when only USG employees and contractors with
a CAC card could do the testing.
On 2/29/2012 8:40 PM, Tammany, Curtis wrote:
I had brought this issue up earlier ("Windows 7/IE8 CAC enabled sites"). With
SSL 3.0 only checked on IE8 (in windows 7), I could make a connection to my site that had
OpenSSL 1.0.0g. With both SSL 3.0 AND TLS 1.0 checked, I could not make a connection. We
rolled back versions of OpenSSL until we got to 0.9.8r which could make a connection with
both protocols enabled on the browser...
Will there be a version that will address MS12-006? TLS1.1? TLS1.2?
Curtis N. Tammany
Lead Web Application Developer, National Security& Defense
Systems Engineering and Technology
URS
16156 Dahlgren Road
Dahlgren, Virginia, 22448
curtis.tamm...@urs.com
540.663.9507
-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Jakob Bohm
Sent: Wednesday, February 29, 2012 08:44
To: openssl-users@openssl.org
Subject: Re: OpenSSL& "Security Update for Windows Server 2008 R2 x 64 Edition
(KB2585542)"
On 2/29/2012 12:22 AM, Michael D wrote:
Security Update for Windows Server 2008 R2 x 64 Edition (KB2585542)
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=28629
That page only instructs how to download the update
file for that particular build of Windows.
The real meat of the description is in
KB2643584 http://support.microsoft.com/kb/2643584
which (directly and indirectly) refers to
For SSL 3.0: RFC6101 Paragraph 5.2.1
http://tools.ietf.org/html/rfc6101#section-5.2.1
For TLS 1.0: RFC2246 Paragraph 6.2.1
http://tools.ietf.org/html/rfc2246#section-6.2.1
MS12-006
http://technet.microsoft.com/en-us/security/bulletin/ms12-006
CVE-2011-3389
Basically, this update causes Microsoft's own SSL library (SCHANNEL)
to split some data records in cases permitted but not required by
the SSL/TLS standards in order to avoid a known attack on the
standard protocol without this extra splitting. This extra splitting
is done only if SCHANNEL is called with an extra option bit, which
other updates have then added to some other Microsoft products (such
as Internet Explorer and the unrelated WinHTTP curl-like library).
Microsoft warns deep down in KB2643584 that some applications cannot
cope with receiving the split packets and suggests using a new system
setting to TEMPORARILY force disable the splitting until such
applications have been fixed in your particular setup.
Does anybody have any experience with this security patch?
It seems to affect older versions of openssl (0.9.7 or so)... does anybody have
experience with newer
versions?
[Basically after the patch is added..older openssl versions can't maintain a
connection]
In relation to OpenSSL, the following 3 questions remain open:
1. Are any versions of OpenSSL's own protocol library code unable
to cope with the CVE-2011-3389 additional record splitting?
2. Are any versions of OpenSSL's utility and command line programs
(such as s_client and s_server) unable to cope with the CVE-2011-3389
additional record splitting in cases where OpenSSL itself copes just
fine?
3. Is the application you use with OpenSSL unable to cope with the
CVE-2011-3389 additional record splitting in cases where OpenSSL
itself copes just fine?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
