Re: Forums.FreeBSD.org - SSL Issue?

[Ian Smith]

On Thu, 14 May 2015 17:32:53 +0200, Adam Major wrote:
 > Hello
 > 
 > >> But I don't think disable TLS 1.0 is ok.
 > >>
 > > 
 > > TLS 1.0 is dead and is even now banned in new installations according to
 > > the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported
 > > by *any* HTTPS site now.
 > 
 > Maybe is dead but is used in many old browser / software still used.
 > 
 > In PCI DSS 3.1 merchants must remove SSL and TLS 1.0 to 30 June 2016.
 > (new installations "in theory" should not be built on TLS 1.0).
 > 
 > So we have 1 year and FreeBSD forum is not e-commerce site ;)

People seem determined to make sure freebsd forums are one of the first 
sites to ban TLS 1.0, as some sort of best-practice example.

I admit my knowledge of TLS issues is scant.  I'd like to know whether 
allowing TLS 1.0 - with fallback from later levels denied, as it already 
is - endangers the server, or only the client?  If there's a clearly 
stated and immediate danger to the forum server, I can accept that, but 
I'd have thought https://www and svnweb would be more at such peril? 
Will there be any notice before they're denied TLS 1.0 access also?

If it's just for making the sort of point that Mark is advocating, to 
force people to join this 'rolling automatic update' model so beloved of 
Microsoft and their captive hardware vendors, then I think doing that, 
without any sort of prior notice, is rather less than I've come to 
expect from the FreeBSD project over 17 years.

But I'm a grandpa too; guess I have old-fashioned expectations :)

cheers, Ian
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: Forums.FreeBSD.org - SSL Issue?

[Mark Felder]

On Fri, May 15, 2015, at 03:07, Ian Smith wrote:
> On Thu, 14 May 2015 17:32:53 +0200, Adam Major wrote:
>  > Hello
>  > 
>  > >> But I don't think disable TLS 1.0 is ok.
>  > >>
>  > > 
>  > > TLS 1.0 is dead and is even now banned in new installations according to
>  > > the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported
>  > > by *any* HTTPS site now.
>  > 
>  > Maybe is dead but is used in many old browser / software still used.
>  > 
>  > In PCI DSS 3.1 merchants must remove SSL and TLS 1.0 to 30 June 2016.
>  > (new installations "in theory" should not be built on TLS 1.0).
>  > 
>  > So we have 1 year and FreeBSD forum is not e-commerce site ;)
> 
> People seem determined to make sure freebsd forums are one of the first 
> sites to ban TLS 1.0, as some sort of best-practice example.
> 
> I admit my knowledge of TLS issues is scant.  I'd like to know whether 
> allowing TLS 1.0 - with fallback from later levels denied, as it already 
> is - endangers the server, or only the client?  If there's a clearly 
> stated and immediate danger to the forum server, I can accept that, but 
> I'd have thought https://www and svnweb would be more at such peril? 
> Will there be any notice before they're denied TLS 1.0 access also?
> 

The danger is decryption. Your username/password could be stolen if
someone captures your traffic after successfully initiating a downgrade
attack.

You can't login to www.freebsd.org or svnweb. The most they can do is
see what you're browsing, which isn't private anyway.

> If it's just for making the sort of point that Mark is advocating, to 
> force people to join this 'rolling automatic update' model so beloved of 
> Microsoft and their captive hardware vendors, then I think doing that, 
> without any sort of prior notice, is rather less than I've come to 
> expect from the FreeBSD project over 17 years.
> 
> But I'm a grandpa too; guess I have old-fashioned expectations :)
> 

Microsoft has nothing to do with this. They're setting a good example.
OSX is sort-of on that train too. FreeBSD has always been ahead of the
curve with the ports tree being a rolling-release model. We need the
Linux distros to get their heads on straight now, too.

Just a reminder: I don't speak for the project in these matters. I'm
just telling you what best current practices are. I have no idea who
made that decision for the forums, or if it's even worth having the
forums on https anyway. If it was up to me I probably wouldn't even put
https on the forums even though Google will penalize it in search
results. (Sure, you have a user account there... but it doesn't really
do anything... you're not using the same credentials everywhere are
you?)

Actually, that might be the reason -- Google search results. Perhaps
Google is also logging what protocols/ciphers your HTTPS has and is
using that in search rankings.
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: Forums.FreeBSD.org - SSL Issue?

[Mark Felder]

On Thu, May 14, 2015, at 06:31, Dan Lukes wrote:
> Patrick Proniewski wrote:
> >> "Data Transfer Interrupted
> >> The connection to forums.freebsd.org has terminated unexpectedly. Some 
> >> data may have been transferred."
> > 
> > looks like your browser/OS does not support TLS 1.2.
> 
> I'm confused by FreeBSD policy, a lot.
> 
> Base OpenSSL in still supported releases is too old version and doesn't
> support TLS 1.2 as well.
> 
> Either TLS 1.0 is so insecure and should not be used, or is secure
> enough for FreeBSD.
> 

When the FreeBSD 8.0 (2009) and 9.0 (2012) releases were cut we didn't
have these vulnerabilities or problems. In fact, TLS 1.2 existed as a
protocol (2008) but OpenSSL didn't even implement it yet (not until
2010)! Thankfully FreeBSD 8 is EoL on June 30, 2015, but we still have
to live with FreeBSD 9.3 until Dec 31 2016. That's going to be painful,
but we shouldn't kill it off sooner than we have to as a courtesy to our
users.

FreeBSD needs to change, too. That is not being ignored.

In the future FreeBSD's base libraries like OpenSSL hopefully will be
private: only the base system knows they exist; no other software will
see them. This will mean that every port/package you install requiring
OpenSSL will *always* use OpenSSL from ports/packages; no conflict is
possible. This also solves the problem of stale software in the base
system and allows FreeBSD to do major upgrades of this software in point
releases to keep the base system fresh.

Last I knew this approach was still being discussed, but it will be a
fantastic improvement to the FreeBSD OS model when it happens.
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: Forums.FreeBSD.org - SSL Issue?

[Roger Marquis]

Mark Felder wrote:

In the future FreeBSD's base libraries like OpenSSL hopefully will be
private: only the base system knows they exist; no other software will
see them. This will mean that every port/package you install requiring
OpenSSL will *always* use OpenSSL from ports/packages; no conflict is
possible.


That's one way of approaching it but there are drawbacks to this method.
Maintaining two sets of binaries and libraries that must be kept separate
(using what kind of ACLs?) adds complexity.  Complexity is the enemy of
security.

Another option is a second openssl port, one that overwrites base and
guarantees compatibility with RELEASE.  Then we could at least have all
versions of openssl in vuln.xml (not that that's been a reliable
indicator of security of late).

Roger Marquis
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: Forums.FreeBSD.org - SSL Issue?

[Mark Felder]

On Fri, May 15, 2015, at 10:22, Roger Marquis wrote:
> Mark Felder wrote:
> > In the future FreeBSD's base libraries like OpenSSL hopefully will be
> > private: only the base system knows they exist; no other software will
> > see them. This will mean that every port/package you install requiring
> > OpenSSL will *always* use OpenSSL from ports/packages; no conflict is
> > possible.
> 
> That's one way of approaching it but there are drawbacks to this method.
> Maintaining two sets of binaries and libraries that must be kept separate
> (using what kind of ACLs?) adds complexity.  Complexity is the enemy of
> security.
> 

It should be less complex than you're thinking. It's literally just
libraries outside the linker search path.

> Another option is a second openssl port, one that overwrites base and
> guarantees compatibility with RELEASE.  Then we could at least have all
> versions of openssl in vuln.xml (not that that's been a reliable
> indicator of security of late).
> 

This will never work. You can't guarantee compatibility with RELEASE and
upgrade it too.
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: Forums.FreeBSD.org - SSL Issue?

[Julian H. Stacey]

Patrick Proniewski  wrote:

> That's always the problem with guys like you and me who live in the real 
> world. We can't cope with "what should be dead and no longer used". 
> Deprecated tomcat/Java/SSL/You-name-it software that you can't just upgrade 
> because it's used with hardware/software you can't get rid of.


FreeBSD needs more mature code management to restrict idealists, eg:

- src/ bsd tar : bad code rushed in too soon to replace Gnu (I filed fixes).
- ports/mail/majordomo : Deleted as mature!  An immature reason.
- ports/print/acroread9 deleted for security (so use chroot) & as Adobe
  support ceased (so use compat/).  Government would fine me lots
  of money & close down the company if I don't continue use of it.
- Those last two I will need to maintain outside FreeBSD.org.

Cheers,
Julian
--
Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com
Indent previous with "> ".  Reply Below as a play script.
Send plain text, Not quoted-printable, HTML, or base64.
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: Forums.FreeBSD.org - SSL Issue?

[Roger Marquis]

Mark Felder wrote:

Another option is a second openssl port, one that overwrites base and
guarantees compatibility with RELEASE.  Then we could at least have all
versions of openssl in vuln.xml (not that that's been a reliable
indicator of security of late).



This will never work. You can't guarantee compatibility with RELEASE and
upgrade it too.


How do you figure?  RedHat does exactly that with every backport, and
they do it for the life of a release.

Roger
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: Forums.FreeBSD.org - SSL Issue?

[Don Lewis]

On 15 May, Roger Marquis wrote:
> Mark Felder wrote:
>>> Another option is a second openssl port, one that overwrites base and
>>> guarantees compatibility with RELEASE.  Then we could at least have all
>>> versions of openssl in vuln.xml (not that that's been a reliable
>>> indicator of security of late).
>>>
>>
>> This will never work. You can't guarantee compatibility with RELEASE and
>> upgrade it too.
> 
> How do you figure?  RedHat does exactly that with every backport, and
> they do it for the life of a release.

They have paying customers to cover the cost of the salaries of the Red
Hat employees who backport security fixes to whatever version of
software that they included in the initial release if it has been
abandoned by its upstream source.  Don't expect any new features,
though.

According to ,
RHEL 4 is supported through March 2017 and RHEL 5 is supported through
November 2020, though both are now in the extended lifecycle support
phase, which is an "add on" and probably costs an extra leg.  RHEL 4
uses openssl 0.9.7 and RHEL 5 uses openssl 0.9.8.  According to
, upstream support for the former
ended in February 2007 and the latter will end at the end of 2015.
Neither support TLS v1.1 or v1.2.  If you need that and you are stuck on
one of these versions of RHEL, you are on your own and have to wedge a
newer version into the system yourself by downloading the source,
running configure and make, and installing under /usr/local.  Then you
need to build whatever needs the new openssl yourself, making sure that
it picks up the right version.  No shiny RPMs for you!

I used to run CentOS 4 (RHEL 4 clone) at a previous job.  It came with
an ancient version of gcc that wasn't capable of compling some other
piece of software that I needed.  I needed to wedge in a recent version
of gcc, binutils, and a bunch of other dependencies before I could even
get around to building the software package that actually needed.

___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: Forums.FreeBSD.org - SSL Issue?

[Dan Lukes]

Mark Felder wrote:
>> Base OpenSSL in still supported releases is too old version and doesn't
>> support TLS 1.2 as well.
>>
>> Either TLS 1.0 is so insecure and should not be used, or is secure
>> enough for FreeBSD.

> When the FreeBSD 8.0 (2009) and 9.0 (2012) releases were cut we didn't
> have these vulnerabilities or problems.

All security patches are released because of something discovered after
release. So it is nothing new nor special.

But it's not the matter of my comment.

As far as I know, there has been no discussion on FreeBSD Security
related to fact that FreeBSD 9 will not receive security patches for
particular known security issue. Nor even announcement, if it has been
considered no topic for discussion here.

So I'm confused (as claimed in previous comment). Other the issue is not
so severe, then I don't understand why TLS 1.0 needs to be disabled on
forums. Or it is so severe so I don't understand why there is still no
Security Advisory dedicated to it. Well, there may be no solution known
- but even in such case the issue should be announced.


Dan

___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"