[openssl.org #3084] openssl-1.0.1e: Configure lacks disable of SSLV2 and Compression by default

Sat, 29 Jun 2013 02:55:48 -0700 

>From file `Configure`, around line 720:

my %disabled = ( # "what"         => "comment" [or special keyword
"experimental"]
                 "ec_nistp_64_gcc_128" => "default",
                 "gmp"            => "default",
                 "jpake"          => "experimental",
                 "md2"            => "default",
                 "rc5"            => "default",
                 "rfc3779"        => "default",
                 "sctp"       => "default",
                 "shared"         => "default",
                 "store"          => "experimental",
                 "zlib"           => "default",
                 "zlib-dynamic"   => "default"
               );
...

SSLv2 and Compression are broken; and SSLv3 is no longer advised.
Perhaps `Configure` should also include: "ssl2", "ssl3", and "comp" by
default.

There will be lots of folks who don't take the time to configure
properly. That penalizes the end users of the OpenSSL library (you,
me, my mom, your dad), and not the folks who build OpenSSL into a
product.

JW

**********

>From Weith's "Differences Between SSLv2, SSLv3, and TLS", Section 2.2:

2.2 Problems with SSLv3

• It is possible to cause a key exchange algorithm rollback if the SSL
connection is only attempting to provide authenticity services and not
encryption[10].

• Replay attacks on anonymous key exchange: That allows an attacker to
pretend to be the server without detection but of course there is not
much that can be accomplished with that since he can’t guess the
private key associated with the random RSA key being talked about.

• Known plaintexts are available to an attacker in certain portions of
the protocol[10]. Of course the cryptosystems in use are supposed to
be resistant to such attacks and that is likely to be the reason why
the designers were not terribly concerned. On the other hand, if they
are not necessary to be revealed they should not be.

• Ad-hoc use of message authentication codes: there are MAC
constructions that have not been subject to analysis such as HMAC[10].
Wagner and Schneier don’t have any specific objections to them but the
point is valid: it’s better to use something that has withstood a fair
amount of analysis than something that hasn’t, particularly in fielded
systems.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to