- 1.877.NO.TOKEN (1.877.668.6536)
- Live Chat
SSL/TLS Authentication Gap – Status of Patches
Because this vulnerability is present in the SSL/TLS protocol itself, all SSL implementations will need to be patched. Software vendors will have to update their software to use the revised libraries, and users should apply any software updates as they become available.
This page has been created as a convenience for IT professionals to track availability of these patches. It is not intended to replace or supersede any direct communications from vendors, and you are encouraged to check vendor websites for the latest information regarding the availability of specific patches.
Vendor Patches:
| Vendor | Affected Products | Status of Patch(es) | ||||||||
| IETF | TLS Protocol | |||||||||
|
Eric Rescorla posted the text for an Internet Draft that the working group proposed as a fix: http://tools.ietf.org/html/draft-ietf-tls-renegotiation-03. After incorporating feedback from the TLS community, the proposed fix was approved by the IESG on January 7, 2010. |
||||||||||
| OpenSSL |
Workaround – Removes Renegotiation (OpenSSL 0.9.8l) Fix (OpenSSL 0.9.8m) |
|
||||||||
|
A new version of OpenSSL (OpenSSL 0.9.8l) has been released, which removes SSL/TLS renegotiation. While this is not a fix for the for the SSL/TLS protocol vulnerability, it does mitigate against the resulting authentication gap. The new version of OpenSSL is available at http://www.openssl.org/source/. The draft proposal of the TLS protocol fix has been committed to the Open SSL stable branch and should be available shortly. An OpenSSL Security Advisory has been posted at http://www.openssl.org/news/secadv_20091111.txt |
||||||||||
| Microsoft | IIS, SChannel, Internet Explorer |
|
||||||||
| Cisco | See Advisory |
|
||||||||
| A security advisory has been published by Cisco (Advisory ID: cisco-sa-20091109-tls) at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml. A list of vulnerable products has been identified. | ||||||||||
| F5 |
Workaround – Disables Renegotiation Fix |
|
||||||||
| A security advisory has been published by F5 (Advisory ID: SOL10737) at https://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.html (registration required). | ||||||||||
| Mozilla/Firefox/NSS |
Workaround – Disables Renegotiation Fix |
|
||||||||
| A patch, which disables renegotiation, is now available (https://bugzilla.mozilla.org/show_bug.cgi?id=526689).The TLS protocol fix has been implemented in NSS. Interoperability testing is in progress. More information on the fix is available at https://bugzilla.mozilla.org/show_bug.cgi?id=537356. | ||||||||||
| GNU TLS | Most Applications Are Not Affected |
|
||||||||
| A proposed fix has been provided by PhoneFactor and is available at http://lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00014.html. A final version of the patch is being tested now. | ||||||||||
| RSA |
RSA BSAFE(R) SSL-J, RSA BSAFE(R) Share for JavaTM Platform, RSA BSAFE(R) MES, RSA BSAFE(R) Share for C/C++ RSA BSAFE(R) SSL-C and RSA BSAFE(R) SSL-C ME |
|
||||||||
| Citrix | An article has been published to the Citrix Knowledge Center at http://support.citrix.com/article/CTX123359. | |||||||||
| Opera |
|
|||||||||
| Opera have an implementation, which is currently being polished with warning and error messages, and a kill-switch. | ||||||||||
| Zeus Technology |
Zeus Traffic Manager 6.0r2 |
|
||||||||
| More information is available at http://knowledgehub.zeus.com/news/2009/12/02/zeus_traffic_manager_6_0r2_released and http://support.zeus.com/zws/news/2010/01/13/zws_4_3r5_released. | ||||||||||
Progress Indicators:
|
Code Undergoing Initial Testing | ||||
|
Interoperability Testing in Progress | ||||
|
Limited Public Availability | ||||
|
Full Public Availability |
Have an Update? Let us know at communication@phonefactor.com.
