On Wed, 2 Mar 2016, Peter Tribble wrote:
IIRC, 1.1.0 has this change already. That's fine, as it's a new release and is
allowed
to make incompatible changes.
Yes, that is why I mentioned it.
Perhaps it is possible to tweak the library (or config file) so that
SSLv2 won't acutally be used.
Actually, no. What would be ideal is that openssl provided stub functions that
return
an error, so symbol resolution works fine (but anything actually calling SSLv2
will fail).
As it is, they're yanking the functions and breaking binary compatibility by
default.
As long as all SSLv2 code has been stripped out, this is safest.
Otherwise it will be very difficult for OmniOS users to upgrade since
programs will refuse to run. There is still a question of what
existing application code might do (continue on, quit, crash,
lock-up?) if an error is reported by a stub function.
Things are made worse by the fact that consumers of the openssl library (things
like wget,
libcurl) tend to blindly enable SSLv2 support if it's present in the openssl
implementation
they're built against. Often without a way of disabling it otherwise. So you
either have to
work out how to manually disable SSLv2 for those consumers, or build them on a
system
that has openssl installed but with SSLv2 disabled. Then, of course, you have
to make
sure that updated consumers get pushed out and updated by users *before* you
push
out a "fixed" openssl. And if end users have built applications, then they're
up the creek
without a paddle. It's just a mess.
OmniOS has decided to be responsible for the absolute minimum number
of "consumers" so it is not in a position to correct the consumers.
In contrast, Red Hat Linux provides a huge set of applications and so
it can re-issue all those applications built against the new library.
Considering all sources of harm, it is likely safest for OmniOS to
wait for the 1.1.0 release, and preserve the existing library (with
SSLv2 functions as they appear in 1.0.2g or 1.0.1s) across upgrades.
Then warn consumers to rebuild their applications.
This security problem primarily impacts SSL servers rather than
clients. Only a subset of OpenSSL consumers act as servers.
Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
_______________________________________________
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss
