<div dir="ltr">Hi Everyone,<div><br></div><div>Sorry to ask for clarification but I am a bit confused about this vulnerability. Is it something I should be sending out to my coworkers since almost all of them use Mac computers?</div>
<div><br></div><div>I prepared an e-mail piecing together what I think I should tell them but if this is totally off base then I should not send it until there is something official I guess. Please take a look and see if this makes sense to send out?</div>
<div><br></div><div>Leon</div><div><br></div><div>___ Message Start ____</div><div><br></div><div>
<p class="">The following is from multiple e-mails which were sent out this morning from the guys at <a href="http://bettercrypto.org">bettercrypto.org</a> and others. All versions of OSX are affected (as well as debian and EL5 Linux) unless you have updated to 1.0.1g which is the latest version.</p>
<p class="">I didn’t send it out to everyone because it only affects people who are using OpenSSL on their systems I think (not sure) like developers or others’s who are playing with crypto and servers running affected OS's. I think IT needs to evaluate how many people it affects and if its worth getting everyone to do the fix (install Homebrew and install the latest OpenSSL. - instructions are at the bottom / Compile from Source) or wait for Apple?</p>
<p class="">Leon</p><p class=""><br></p>
<p class="">This is an Issue with missing cypher suites in OpenSSL all the way back to 0.9.8 and all newer.</p><p class=""><a href="https://github.com/puppetlabs/puppet/pull/2494#issuecomment-41351666">https://github.com/puppetlabs/puppet/pull/2494#issuecomment-41351666</a></p>
<p class="">The OpenSSL 0.9.8 tree is entirely affected as are 0.9.7 versions that appeared later than 0.9.7m.<br></p>
<p class="">This has been reproduced on debian squeeze and affects EL5 as well as ALL versions of OS X up to and including the current Mavericks.</p>
<p class="">Eg.</p><p class="">$ /usr/bin/openssl version</p><p class="">OpenSSL 0.9.8y 5 Feb 2013</p>
<p class=""><br></p>
<p class="">Expanding Ciphersuite B results in:</p>
<p class="">$ /usr/bin/openssl ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'</p>
<p class="">AES256-SHA:AES128-SHA</p>
<p class="">Unexpectedly, DHE ciphers are missing.</p>
<p class=""><br></p>
<p class="">This is the latest version:</p>
<p class="">$ /opt/local/bin/openssl version</p>
<p class="">OpenSSL 1.0.1g 7 Apr 2014</p>
<p class="">$ /opt/local/bin/openssl ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA<span class="">’</span></p>
<p class="">DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA</p>
<p class=""><br></p><p class="">PROBABLE FIX:</p>
<p class="">If one is using homebrew, the existing OS X openssl lib can be overwritten:</p>
<p class="">$ openssl version</p>
<p class="">OpenSSL 0.9.8y 5 Feb 2013</p>
<p class="">$ brew install openssl</p>
<p class="">$ brew link --force openssl</p>
<p class="">open a new terminal (tab)</p>
<p class="">$ openssl version</p>
<p class="">OpenSSL 1.0.1g 7 Apr 2014</p>
<p class="">For sure it should be fixed by Apple, but that can take time …</p>
<p class="">____ Message End ______</p></div><div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div>Leon Letto</div><div><br></div></div>
</div></div>