[OmniOS-discuss] PHEW! OpenSSL 1.0.2g and 1.0.1s NOW OUT, albeit with SSLv2_* enabled

Bob Friesenhahn bfriesen at simple.dallas.tx.us
Wed Mar 2 19:59:08 UTC 2016 

On Wed, 2 Mar 2016, Peter Tribble wrote:
> 
> IIRC, 1.1.0 has this change already. That's fine, as it's a new release and is allowed
> to make incompatible changes.

Yes, that is why I mentioned it.

>       Perhaps it is possible to tweak the library (or config file) so that SSLv2 won't acutally be used.
> 
> 
> Actually, no. What would be ideal is that openssl provided stub functions that return
> an error, so symbol resolution works fine (but anything actually calling SSLv2 will fail).
> As it is, they're yanking the functions and breaking binary compatibility by default.

As long as all SSLv2 code has been stripped out, this is safest. 
Otherwise it will be very difficult for OmniOS users to upgrade since 
programs will refuse to run.  There is still a question of what 
existing application code might do (continue on, quit, crash, 
lock-up?) if an error is reported by a stub function.

> Things are made worse by the fact that consumers of the openssl library (things like wget,
> libcurl) tend to blindly enable SSLv2 support if it's present in the openssl implementation
> they're built against. Often without a way of disabling it otherwise. So you either have to
> work out how to manually disable SSLv2 for those consumers, or build them on a system
> that has openssl installed but with SSLv2 disabled. Then, of course, you have to make
> sure that updated consumers get pushed out and updated by users *before* you push
> out a "fixed" openssl. And if end users have built applications, then they're up the creek
> without a paddle. It's just a mess.

OmniOS has decided to be responsible for the absolute minimum number 
of "consumers" so it is not in a position to correct the consumers. 
In contrast, Red Hat Linux provides a huge set of applications and so 
it can re-issue all those applications built against the new library.

Considering all sources of harm, it is likely safest for OmniOS to 
wait for the 1.1.0 release, and preserve the existing library (with 
SSLv2 functions as they appear in 1.0.2g or 1.0.1s) across upgrades. 
Then warn consumers to rebuild their applications.

This security problem primarily impacts SSL servers rather than 
clients.  Only a subset of OpenSSL consumers act as servers.

Bob
-- 
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

More information about the OmniOS-discuss mailing list