Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Steffan Karger <steffan <at> karger.me>
Subject: Re: more SSL_OP_NO_TICKET fallout
Newsgroups: gmane.network.openvpn.devel
Date: Sunday 13th July 2014 09:31:14 UTC (over 3 years ago)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

Oh, joy, more SSL_OP_NO_TICKET fallout. Changing the subject to
separate this discussion from the original thread about topology subnet.

On 12-07-14 15:50, Gert Doering wrote:
> On Sat, Jul 12, 2014 at 02:55:21PM +0200, David Sommerseth wrote:
>>> Well, OpenSSL considers this a "feature", not an "issue"... and
>>> being able to turn off session resumption is also considered a
>>> "feature"...
>> 
>> Ahh, right!
>> 
>> I thought this was related to a CVE, but it seems not, according
>> the OpenSSL changelog I found on the net [1].  SSL_OP_NO_TICKET
>> comes with the implementation of RFC4507, which was introduced in
>> 0.9.8f.  I just double checked EL5, and it uses 0.9.8e as the
>> base version.  According to the RPM changelog, I don't see that
>> RFC4507 has ever been backported.
> 
> Ah.  So if that is correct, our simplistic implementation "if it is
> not there, just #define SSL_OP_NO_TICKET 0" would be perfectly safe
> in this regard, then.
> 
>> But it would be good if others can double this and see if I've
>> understood this correctly, just so I don't say anything wrong.
> 
> Indeed :-) - Steffann?

Yes, the SSL_OP_NO_TICKET flag was introduced together with the
feature it disables (stateless session resumption). Sane backporters
would also backport the flag when backporting the feature. So using
the same "#define SSL_OP_NO_TICKET 0"-construction as in 2.3 should be
fine.

I think this is the way to go for 2.4 if we want to support RHEL5
until their end-of-production. The alternatives would be to either
drop support for RHEL5 (seems unreasonable for such a silly fix) or
keep maintaining 2.3 until RHEL5 end-of-support (much more work).

Attached a patch that adds the 2.3 #ifdef construction to -master too.
I updated the message to reflect that this is in master too now, and
include the string '0.9.8', which should help with stripping this out
again if 0.9.8-support is ever dropped.

- -Steffan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJTwlHPAAoJEJgCyj0AftKImwcH/0mCSnA2LNFDP0542/yRnFTc
mwufEafiZ936xY0eEYKERNMuISucAoHiOGrp+5EqSHSoGqX7TTkxZ3hIBVgQ4L37
p4b9pbkXNj5J4RelcFkH78lNKnNr9AnU5JHO1SJEO1qKAY0q5ypRclvTbytcN8o6
6UVnRzcjmDnyUOgPrSct+JK7Rm9BVCpDU2a7PK0fGASs3qS9NZOmBSDV9Eg2P5tn
IdvoZUrI9ZPNLDWCoDpMOkpsvQPl2BeMJ0t5Ib/LRSE8dbvfxg+GldYYQ3YA4uu8
xylgnvNTwi1GfFEicwX+9g8NEkqDKmNJd6k/OzclVyhWi3209E6prwk20NX7RDs=
=u8ld
-----END PGP SIGNATURE-----
 
CD: 4ms