Bug 460656 - SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG enabled in OpenSSL
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG enabled in OpenSSL
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openssl (Show other bugs)
4.9
All Linux
medium Severity medium
: rc
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-29 10:37 EDT by Nigel Jewell
Modified: 2008-12-04 11:08 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-04 11:08:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nigel Jewell 2008-08-29 10:37:58 EDT
Description of problem:

Qualysguard report this problem with scanning our production systems:

Netscape's SSLv3 implementation had a bug where if a SSLv3 connection is initially established, the first available cipher is used. If a session is resumed, a different cipher may be chosen if it appears in the passed cipher list before the session's current cipher. This bug can be used to change ciphers on the server.

OpenSSL contains this bug if the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is enabled during runtime. This option was introduced for compatibility reasons.

The problem arises when different applications using OpenSSL's libssl library enable all compatibility options including SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG, thus enabling the bug. 

Version-Release number of selected component (if applicable):

openssl-0.9.7a-43.17.el4_6.1

Additional info:

In https://bugzilla.redhat.com/show_bug.cgi?id=175779 this is reported as "CLOSED NEXTRELEASE" - however it does not appear to be fixed.
Comment 1 Nigel Jewell 2008-08-29 10:46:18 EDT
Sorry - my mistake.  I see in the original bug report that this is only fixed in Red Hat 5.  Please confirm that this is the case.
Comment 2 Tomas Mraz 2008-09-01 04:22:12 EDT
Yes, this is fixed in RHEL 5 and Fedora.
Comment 3 Tomas Mraz 2008-12-04 11:08:35 EST
Given the state of maintenance RHEL-4 is getting to we will not fix this problem in the openssl version shipped in RHEL-4.

Note You need to log in before you can comment on or make changes to this bug.