On 2/29/2012 11:43 PM, Dr. Stephen Henson wrote:
On Wed, Feb 29, 2012, Tammany, Curtis wrote:
I had brought this issue up earlier ("Windows 7/IE8 CAC enabled sites").
With SSL 3.0 only checked on IE8 (in windows 7), I could make a connection
to my site that had OpenSSL 1.0.0g. With both SSL 3.0 AND TLS 1.0 checked, I
could not make a connection. We rolled back versions of OpenSSL until we got
to 0.9.8r which could make a connection with both protocols enabled on the
browser...
Will there be a version that will address MS12-006? TLS1.1? TLS1.2?
At present I cannot reproduce the issues with MS12-006 so I can only guess as
to the cause. If I can or I can get appropriate feedback I can work on a fix,
assuming it isn't fixed already: see below. TLS 1.1 and 1.2 will only ever
appear in OpenSSL 1.0.1 and later as new features don't appear in stable
releases: just bug fixes. That is currently in beta and a few issues remain to
be resolved before the full release.
Please read that again. He wrote that 1.0.0 did NOT work, but 0.9.8 works.
So a few guesses:
If the problem is no longer present in OpenSSL 0.9.8r then 1.0.0e may also
work. The only known problem with later versions is the SGC DoS fix has a bug
in it which may affect renegotiation in some circumstances. This bug *should*
be fixed in the latest snapshots of OpenSSL: please see if they work OK for
you.
Please refer to my initial literature check higher up in this thread.
MS12-006 is Microsoft's name for CVE-2011-3389, which you hopefully
know better than I do.
Microsoft KB2643584 et al is Microsoft's patch for CVE-2011-3389.
According to Microsoft, their patch selectively fragments some of the
SSL and TLS records in order to prevent the attack. They claim that
this fragmentation is the most likely cause of interoperability issues
and point to specific clauses in the SSL 3.0 and TLS 1.0 RFC's as
justification for saying that any incompatible software (which might
include OpenSSL 1.0.0) is buggy for not being compatible with their
change, although that might just be BS.
--
Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10
<call:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
