----- Original Message ----- > From: "Gert Doering" <g...@greenie.muc.de> > To: "David Sommerseth" <openvpn.l...@topphemmelig.net> > Cc: "Gert Doering" <g...@greenie.muc.de>, "Jan Just Keijser" > <janj...@nikhef.nl>, openvpn-devel@lists.sourceforge.net > Sent: Saturday, 12 July, 2014 1:31:09 PM > Subject: Re: [Openvpn-devel] [PATCH] Add topology in sample server > configuration file > > Hi, > > On Sat, Jul 12, 2014 at 12:41:14PM +0200, David Sommerseth wrote: > > IIRC, the guy overseeing the Secure Response Team in RH is Mark Cox, which > > again > > is also an upstream OpenSSL maintainer. So I'm quite sure all RH releases > > have > > fixed this issue. > > Well, OpenSSL considers this a "feature", not an "issue"... and being > able to turn off session resumption is also considered a "feature"...
Ahh, right! I thought this was related to a CVE, but it seems not, according the OpenSSL changelog I found on the net [1]. SSL_OP_NO_TICKET comes with the implementation of RFC4507, which was introduced in 0.9.8f. I just double checked EL5, and it uses 0.9.8e as the base version. According to the RPM changelog, I don't see that RFC4507 has ever been backported. >From what I can grasp out of the OpenSSL changelog, RFC4507 is enabled by default *if* compiled into OpenSSL. And if it is compiled into OpenSSL, it can be disabled by setting the SSL_OP_NO_TICKET flag. Which would means 0.9.8e should be safe in this aspect and EL5 is not vulnerable at all. But it would be good if others can double this and see if I've understood this correctly, just so I don't say anything wrong. [1] <https://www.openssl.org/news/openssl-0.9.8-notes.html> -- kind regards, David Sommerseth
