Re: OpenSSL & "Security Update for Windows Server 2008 R2 x 64 Edition (KB2585542)"

Wed, 29 Feb 2012 05:45:38 -0800 

On 2/29/2012 12:22 AM, Michael D wrote:

Security Update for Windows Server 2008 R2 x 64 Edition (KB2585542)
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=28629

That page only instructs how to download the update
file for that particular build of Windows.

The real meat of the description is in

   KB2643584 http://support.microsoft.com/kb/2643584

which (directly and indirectly) refers to

  For SSL 3.0: RFC6101 Paragraph 5.2.1
     http://tools.ietf.org/html/rfc6101#section-5.2.1
  For TLS 1.0: RFC2246 Paragraph 6.2.1
     http://tools.ietf.org/html/rfc2246#section-6.2.1
  MS12-006
     http://technet.microsoft.com/en-us/security/bulletin/ms12-006
  CVE-2011-3389

Basically, this update causes Microsoft's own SSL library (SCHANNEL)
to split some data records in cases permitted but not required by
the SSL/TLS standards in order to avoid a known attack on the
standard protocol without this extra splitting.  This extra splitting
is done only if SCHANNEL is called with an extra option bit, which
other updates have then added to some other Microsoft products (such
as Internet Explorer and the unrelated WinHTTP curl-like library).

Microsoft warns deep down in KB2643584 that some applications cannot
cope with receiving the split packets and suggests using a new system
setting to TEMPORARILY force disable the splitting until such
applications have been fixed in your particular setup.




Does anybody have any experience with this security patch?
It seems to affect older versions of openssl (0.9.7 or so)... does anybody have experience with newer versions? 

[Basically after the patch is added..older openssl versions can't maintain a 
connection]


In relation to OpenSSL, the following 3 questions remain open:

1. Are any versions of OpenSSL's own protocol library code unable
to cope with the CVE-2011-3389 additional record splitting?

2. Are any versions of OpenSSL's utility and command line programs
(such as s_client and s_server) unable to cope with the CVE-2011-3389
additional record splitting in cases where OpenSSL itself copes just
fine?

3. Is the application you use with OpenSSL unable to cope with the
CVE-2011-3389 additional record splitting in cases where OpenSSL
itself copes just fine?

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to