[opensuse] RIP SSLv3
The Internet community officially banishes the notoriously unsafe Secure Sockets Layer protocol. The venerable “secure” network protocol Secure Sockets Layer (SSL) v3 has met its end. SSL has co-existed on the Internet alongside its presumed successor TLS for many years, even though experts have long warned of its shortcomings. A recent rash of high-profile incidents, however, including the famous POODLE exploit, have finally caused the Internet Engineering Task Force (IETF) to take action. Request for Comment (RFC) 7568 “Deprecating Secure Sockets Layer Version 3.0” officially states the requirement that SSLv3 should not be supported. The RFC is unusually blunt, with its all-cap stipulation that “SSLv3 MUST NOT be used.” Although most systems today support the safer TLS, many provide fallback support for SSLv3 if an SSL connection is requested. Attackers have perfected the technique of requesting an SSL connection then use one of the many exploits associated with SSL. RFC 7568 states that “Any party receiving a Hello message with the version set to {3,00} MUST respond with a ‘protocol_version’ alert message and close the connection.” Many OS and application vendors have already turned off support for SSLv3 through patches and security updates. http://www.linux-magazine.com/Online/News/RIP-SSLv3 BC -- Using openSUSE 13.2, KDE 4.14.6 & kernel 4.1.1-0 on a system with- AMD FX 8-core 3.6/4.2GHz processor 16GB PC14900/1866MHz Quad Channel RAM Gigabyte AMD3+ m/board; Gigabyte nVidia GTX660 GPU -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, On Thu, Jul 02, 2015 at 09:19:05PM +1000, Basil Chupin wrote:
The Internet community officially banishes the notoriously unsafe Secure Sockets Layer protocol.
The venerable “secure” network protocol Secure Sockets Layer (SSL) v3 has met its end. SSL has co-existed on the Internet alongside its presumed successor TLS for many years, even though experts have long warned of its shortcomings. A recent rash of high-profile incidents, however, including the famous POODLE exploit, have finally caused the Internet Engineering Task Force (IETF) to take action. Request for Comment (RFC) 7568 “Deprecating Secure Sockets Layer Version 3.0” officially states the requirement that SSLv3 should not be supported.
The RFC is unusually blunt, with its all-cap stipulation that “SSLv3 MUST NOT be used.” Although most systems today support the safer TLS, many provide fallback support for SSLv3 if an SSL connection is requested. Attackers have perfected the technique of requesting an SSL connection then use one of the many exploits associated with SSL. RFC 7568 states that “Any party receiving a Hello message with the version set to {3,00} MUST respond with a ‘protocol_version’ alert message and close the connection.”
Many OS and application vendors have already turned off support for SSLv3 through patches and security updates.
To go along with that, openSUSE Tumbleweed will get openssl 1.0.2c with ssl3 disabled soonish. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
To go along with that, openSUSE Tumbleweed will get openssl 1.0.2c with ssl3 disabled soonish.
Ciao, Marcus
Hello, Sorry if you see this email several times. I have experienced some problems to get it posted. I have a printer and a router (not too old) that have web servers using https with SSLv3.0 to access configuration. I am getting this error "sec_error_reused_issuer_and_serial" when trying to access them with Firefox 38.0.1 (and chromium) on opensuse 13.2 , and I am not allow to continue despite the error. Do you know how can I get firefox not to complain about SSLv3 temporarily? Thanks, Edwin. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/03/2015 07:54 PM, Edwin Helbert Aponte Angarita wrote:
Hello,
Sorry if you see this email several times. I have experienced some problems to get it posted.
I have a printer and a router (not too old) that have web servers using https with SSLv3.0 to access configuration. I am getting this error "sec_error_reused_issuer_and_serial" when trying to access them with Firefox 38.0.1 (and chromium) on opensuse 13.2 , and I am not allow to continue despite the error. Do you know how can I get firefox not to complain about SSLv3 temporarily?
Thanks, Edwin.
Edwin, Please start a new question in situations like this and reference the post you are referring to (e.g. In "[opensuse] RIP SSLv3" SSLv3 was being deprecated, I have ....) That way proper threading is preserved on the list. As to your question, I don't know, but if I were acessing the printer, etc. locally, I would look to see if I could disable the https requirement for local subnets. Others will have to address the FF/Chromium issue. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Edwin Helbert Aponte Angarita wrote:
To go along with that, openSUSE Tumbleweed will get openssl 1.0.2c with ssl3 disabled soonish.
Ciao, Marcus
Hello,
Sorry if you see this email several times. I have experienced some problems to get it posted.
I have a printer and a router (not too old) that have web servers using https with SSLv3.0 to access configuration.
Is your printer accessible from the outside net or is it accessible only from your internal net (presumption -- you have, at least, 2 network zones: inside (192.168.x.x or 10.x.x.x, etc) & outside (everything else). If it only accessible via your internal net and your computer's network address is also, "local only" -- then it _sounds_ like you don't need any encryption between the printer and your system. So you could disable an encrypted connection and plaintext to send to your printer (does it require usernames/passwords to print? Most don't -- so usally sniffing printer traffic results in attackers waisting much time for an uncertain payoff). Similarly for the router: What does your router do that your SuSE box cannot do? Presumably, the router was able to be accessed via an SSLv3 connection, like https? Does it also take a username and password? Does it have IP based network controls -- or does it maybe only have 1 external hookup that goes to a cable or dsl modem? Then maybe it has 1-4 "internal hookups" -- but would I be wrong to think all your internal addresses are on "unroutable" subnets (like 192.168.x.y or 10.x.y.z among a few others). If so, you might be able to configure the router to only listen for administrative access on internal ports and ignore external admin-connection attempts. Basically, if you have an internal net that is 'mostly' protected from the external net -- i.e. no direct connection from outside net to your internal net), maybe it is configurable to only listen on your interior interface (better if it can be limited to a physical interface(int. vs. ext), or it may have 'eth0' assigned for the internal nets, and eth1 for the outside. However your router may do it, if you can ensure outside traffic cannot get inside your net, except through the router (or a linux gateway), then do you really need encryption? I've been running samba w/no encryption since day one for performance reasons -- but my samba server only services my internal nets: interfaces = 192.168.4.1/24 192.168.3.1/24 127.0.0.1/32 (many will tell you there is no reason for the latter unless your server serves files to itself -- which it might in some sites). Just recently I updated my Suse openssl packages, and had real bad slowness problems with thunderbird, it seems the TLS protocol wasn't very robust or was just slow. I tried updating to a new version (Fossamail - v25.1.5 based on Tbird, was x64 too), I had it setup to speak TLS, but still had perf problems, as well as it *crashed* more often than my *old* Tbird (v2.0.0.24). On certain things -- it crashed reliably (trying to view an email in original HTML). I kicked it to the curb, went back to Tbird -- it whined because SSL3 was off, so no way to start an IMAPS session. So I switched it to "dovecot". Note: dovecot, by default is setup to not listen to unencrypted IMAP or allow unencrypted USER/PASS session setup -- so have to make sure dovecot listens to IMAP(143) and (or instead of) IMAPS(993).. Made that change and the speedup in email fetching/sending...etc became much faster -- and Tbird stopped hanging. So if you can use a non-encrypted connection (i.e. your local net is not connected to the outside world except through proxies (mine go through squid - external addresses are _usally_ unreachable unless I configure some temporary exception -- like explicitly turning on NAT on my linux box. But normally most of my internet communicating apps work though a webproxy(like squid) or SOCKS(dante). All of the above id dependent on keeping a strict barrier between outside and inside -- i.e. if I turn on 'NAT' for some reason (some software requires direct access and refuses to use a proxy to "activate the SW"), my risks go up -- but usually NAT is off and when it is on, well, I pretty much have to rely on the fact that being on an 'unroutable' IP (192.168/... or 10/...) will usually have the traffic dropped at any first gateway (i.e. my Netgear cable modem comes configured to drop any such traffic rather than trying to pass it on). The other advantage -- you can \often\ see a marked increase in performance.
I am getting this error "sec_error_reused_issuer_and_serial" when trying to access them with Firefox 38.0.1 (and chromium) on opensuse 13.2 , and I am not allow to continue despite the error. Do you know how can I get firefox not to complain about SSLv3 temporarily?
---- Where are you trying to connect? i.e. if you have a public email account like 'gmail', and need to download from them, you MUST not use unencrypted access methods... in that case, ick.... I don't think the follow-on-damage to the breakage of SSLv3 is even close to being done. TLS is a dog during the session startup (and that was over a local net (and many of the sessions would just "timeout" and hang tbird... If you are using gmail (as I see your domain says now), you might try to use something like fetchmail to download from gmail and then deliver it to your local account -- fetchmail is much easier to update and recompile with *safe* communication methods than is Tbird. Good luck... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Basil Chupin -
David C. Rankin -
Edwin Helbert Aponte Angarita -
Linda Walsh -
Marcus Meissner