We had a CVE issued today: http://www.ocert.org/advisories/ocert-2015-008.html OpenSSL doesn't check intermediate CAs for expiry when setting the "check CRL" flag. You need to set another flag saying "I really mean check ALL of the CRLs". FreeRADIUS didn't set that flag. The impact for 99% of people is nothing. In order to be vulnerable, you have to have all of the following in the configuration: 1) the RADIUS system has to use a public CA 2) use an intermediate CA to issue client certificates 3) enable EAP-TLS Most people don't have EAP-TLS enabled. A small number of people might be using an intermediate CA. A vanishingly small number of people will be using a public CA for RADIUS. Using a public CA is a *terrible* idea. We have been recommending against it for years. The problem got a CERT advisory issued because technically it is a security bug, and the original person who reporting it didn't want to contact security@freeradius.org. We'll get 2.2.8 and 3.0.9 out soon. In the mean time, most people can ignore this issue. Alan DeKok.
On Jun 22, 2015, at 3:57 PM, Alan DeKok <aland@deployingradius.com> wrote:
We had a CVE issued today: http://www.ocert.org/advisories/ocert-2015-008.html
OpenSSL doesn't check intermediate CAs for expiry when setting the "check CRL" flag. You need to set another flag saying "I really mean check ALL of the CRLs". FreeRADIUS didn't set that flag.
The impact for 99% of people is nothing. In order to be vulnerable, you have to have all of the following in the configuration:
1) the RADIUS system has to use a public CA
2) use an intermediate CA to issue client certificates
3) enable EAP-TLS
Most people don't have EAP-TLS enabled. A small number of people might be using an intermediate CA. A vanishingly small number of people will be using a public CA for RADIUS.
Using a public CA is a *terrible* idea. We have been recommending against it for years.
The problem got a CERT advisory issued because technically it is a security bug, and the original person who reporting it didn't want to contact security@freeradius.org.
We'll get 2.2.8 and 3.0.9 out soon. In the mean time, most people can ignore this issue.
Just to clarify. This will likely only effect you if you got an intermediary CA from a public CA, then used that to sign certificates that you distributed to your clients. You should generally never do this. -Arran
On Mon, Jun 22, 2015 at 03:57:08PM -0400, Alan DeKok wrote:
We had a CVE issued today: http://www.ocert.org/advisories/ocert-2015-008.html
Non-issue aside, gotta love that timeline :) Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
OpenSSL ... To me it looks like they ignore more or less tiny bugs in their code and just focus on encryption, ciphers, etc. Is GnuTLS better? 2015-06-22 22:48 GMT+02:00 Matthew Newton <mcn4@leicester.ac.uk>:
On Mon, Jun 22, 2015 at 03:57:08PM -0400, Alan DeKok wrote:
We had a CVE issued today: http://www.ocert.org/advisories/ocert-2015-008.html
Non-issue aside, gotta love that timeline :)
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 22, 2015, at 8:09 PM, Ben Humpert <ben@an3k.de> wrote:
OpenSSL ... To me it looks like they ignore more or less tiny bugs in their code and just focus on encryption, ciphers, etc. Is GnuTLS better?
Not really. The API is a bit better, but it implements less of the TLS specs. Alan DeKok.
On Jun 23, 2015, at 8:32 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 22, 2015, at 8:09 PM, Ben Humpert <ben@an3k.de> wrote:
OpenSSL ... To me it looks like they ignore more or less tiny bugs in their code and just focus on encryption, ciphers, etc. Is GnuTLS better?
Not really. The API is a bit better, but it implements less of the TLS specs.
...and extrapolating from my limited contact, the developers are assholes. When told we wouldn't be giving one GnuTLS dev commit access to the RADIUS client library repo, he promptly deleted all his pull requests, meaning we couldn't merge the code. -Arran
On Jun 23, 2015, at 10:51 AM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On Jun 23, 2015, at 8:32 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 22, 2015, at 8:09 PM, Ben Humpert <ben@an3k.de> wrote:
OpenSSL ... To me it looks like they ignore more or less tiny bugs in their code and just focus on encryption, ciphers, etc. Is GnuTLS better?
Not really. The API is a bit better, but it implements less of the TLS specs.
...and extrapolating from my limited contact, the developers are assholes.
When told we wouldn't be giving one GnuTLS dev commit access to the RADIUS client library repo, he promptly deleted all his pull requests, meaning we couldn't merge the code.
or more the branches the pull requests were based on. -Arran
Not really. The API is a bit better, but it implements less of the TLS specs.
...and extrapolating from my limited contact, the developers are assholes.
When told we wouldn't be giving one GnuTLS dev commit access to the RADIUS client library repo, he promptly deleted all his pull requests, meaning we couldn't merge the code.
or more the branches the pull requests were based on.
Oh that's just petty... Jeez. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
Ben Humpert -
Matthew Newton -
Stefan Paetow