[gentoo-user] SSLv2 is back today (gone tomorrow?)

[gentoo-user] SSLv2 is back today (gone tomorrow?)

[walt]

I notice that openssl-1.0.2g-r2 restores SSLv2 as a temporary fix
for the breakage caused by r1 yesterday.

My machines are working just fine without SSLv2 so I'm going to skip
the update to r2 and keep r1 while waiting for a permanent fix.  I'm
not a security expert, so I'd like to hear opinions from people who are.

Should people who have already installed r1 and are not having any
problems just stay with r1 for now?  Or not.

Re: [gentoo-user] SSLv2 is back today (gone tomorrow?)

[Alan McKinnon]

On 04/03/2016 15:57, walt wrote:
> I notice that openssl-1.0.2g-r2 restores SSLv2 as a temporary fix
> for the breakage caused by r1 yesterday.
> 
> My machines are working just fine without SSLv2 so I'm going to skip
> the update to r2 and keep r1 while waiting for a permanent fix.  I'm
> not a security expert, so I'd like to hear opinions from people who are.
> 
> Should people who have already installed r1 and are not having any
> problems just stay with r1 for now?  Or not.
> 
> 


The relevant bug is here

https://bugs.gentoo.org/show_bug.cgi?id=576128

If you have sslv2 enabled, your choices are clear:

1. high likelihood of wholesale breakage, or
2. wait a little longer for a proper fix

Obviously -r1 is ideal as it disables sslv2. If you have it and it
works, leave it in place.

Everyone else is going to have to make up their own mind, and there's no
sane rational advice that can be given for all, considering what the
choices are above.

FreeBSD is also hit with the same issue for similar reasons, and Fedora
has it's own pain. Between them and Gentoo I have every confidence a
real fix will come out soon.

My choice is to sit tight for now. I can't afford to run the risk of
taking the company's vital FreeBSD servers of the air to fix a bug
unproven to be exploited in the wild. It's a tough choice.


-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] SSLv2 is back today (gone tomorrow?)

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 845 bytes --]

The relevant bug is here

>
> https://bugs.gentoo.org/show_bug.cgi?id=576128
>
> If you have sslv2 enabled, your choices are clear:
>
> 1. high likelihood of wholesale breakage, or
> 2. wait a little longer for a proper fix
>
> Obviously -r1 is ideal as it disables sslv2. If you have it and it
> works, leave it in place.
>
> Everyone else is going to have to make up their own mind, and there's no
> sane rational advice that can be given for all, considering what the
> choices are above.
>

Remember that the versions of OpenSSL with SSLv2 can be safe if you disable
SSLv2 in the services that use that code, eg, in apache, at a minimum, set;

SSLProtocol All -SSLv2

To find out what software is using OpenSSL;

# qdepends -Q openssl
and then investigate how to disable SSLv2 in each of those with network
services. Dont forget to restart!

[-- Attachment #2: Type: text/html, Size: 1404 bytes --]