Freeze Break: SSLv3
Till Maas
opensource at till.name
Wed Oct 15 15:47:37 UTC 2014
Hi,
On Tue, Oct 14, 2014 at 10:03:19PM -0600, Kevin Fenzi wrote:
> On Tue, 14 Oct 2014 19:49:05 -0600
> Kevin Fenzi <kevin at scrye.com> wrote:
>
> > FYI, I have tested the koji change (along with a change of ciphers) in
> > stg and it seems fine with it.
>
> Sadly, I didn't test auth connections, and they are broken.
>
> Seems koji hard codes SSLv3 as the one and only ssl method. ;(
>
> We will need to get a patch for koji before we can switch it over.
the current issue only allows an attack against the secrecy of SSL
communication. This does not seem to be a problem for koji as used in
Fedora, since it uses client certificates for authentication and
therefore there should be no secret cookie that could be obtained. Also
the attack requires the attacker to be able to make the victim send
special SSL messages/HTTP requests, which is also not feasible if only
the koji command line client is used, which is how most if not all
people access koji when they are authenticated.
All in all it would be good to patch the client and pyopenssl to
properly support TLS 1.2 but I do not see an imminent threat to koji.
Regards
Till
More information about the infrastructure
mailing list