[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] OpenSSL Advisory?
- Subject: Re: [cobalt-security] OpenSSL Advisory?
- From: Eugene Crosser <crosser@xxxxxxxxxxx>
- Date: Wed, 01 Oct 2003 23:22:20 +0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Wed, 2003-10-01 at 18:55, Greg Boehnlein wrote:
> > certificate). As far as I understand, openssh only uses "crypto" part
> > of the OpenSSL package, which probably makes it unaffected by the bugs
> > in the "ssl" part.
>
> I think anything that exchanges certificates would be likely at risk.
The point is that SSH does not exchange x509 certificates. It has its
own key exchange protocol. Probably(?) it is not ASN1 based.
Anyway, "better safe than sorry"; and my message is not "don't upgrade",
it's rather "don't panic" :-)
Eugene
P.S. OpenSSL consists of two layers: crypto and protocol(s). Crypto
library implements, well, crypto algorithms (RSA, SHA, MD5, etc.).
Strictly speaking, it has nothing to do with SSL itself. Protocol
library (libssl) implements SSL protocol and crypto infrastructure
things (x.509 certificates, CSR's etc.). Many packages that need
cryptography use librcypto implementation from OpenSSL, despite they
have absolutely nothing to do with SSL as a protocol. For example,
NetSNMP. Others, like Apache or imapd, need SSL, and thus use both
layers.