Freeze Break: SSLv3

Kevin Fenzi kevin at
Wed Oct 15 17:15:44 UTC 2014

On Wed, 15 Oct 2014 17:47:37 +0200
Till Maas <opensource at> wrote:

> the current issue only allows an attack against the secrecy of SSL
> communication. This does not seem to be a problem for koji as used in
> Fedora, since it uses client certificates for authentication and
> therefore there should be no secret cookie that could be obtained.
> Also the attack requires the attacker to be able to make the victim
> send special SSL messages/HTTP requests, which is also not feasible
> if only the koji command line client is used, which is how most if
> not all people access koji when they are authenticated.

My thought was that someone could get another users cert. Which, if the
user was an admin would allow them to do all sorts of bad things. 

The cert itself isn't exposed via this?

> All in all it would be good to patch the client and pyopenssl to
> properly support TLS 1.2 but I do not see an imminent threat to koji.

Good to hear. 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <>

More information about the infrastructure mailing list