[Replicant] [PATCHES] SSL related issues

Wolfgang Wiedmeyer wreg at wiedmeyer.de
Sun Sep 27 21:17:18 UTC 2015


My Self provided in the following post an overview of the different ssl/tls
issues with different android browsers: https://redmine.replicant.us/boards/39/topics/8007?r=9081#message-9081
You can do the test from ssllabs yourself here: https://www.ssllabs.com/ssltest/viewMyClient.html
For the stock android browser the following problems get reported:
- no support for TLS version > 1.0
- affected by logjam and freak vulnerability
- vulnerable to poodle attack or more general: SSL version 3 is not
disabled
- weak RC4 ciphers are enabled
- no OCSP stapling

Except for OCSP stapling I was able fix all issues so that the test for them
passes. The patches for disabling SSLv3, enabling TLSv1.1 and
TLSv1.2 and removal of weak RC4 ciphers was completely written by myself, so
please review these patches carefully! I cannot guarantee that the
implementation is complete or without bugs, nor am I a security expert
or familiar with the code base. I just sat down and tried to fix these
issues.
Replicant has openssl version 1.0.1c and it is not easy to find working
patches for recent vulnerabilities for such an old version. I was able
to use patches for Ubuntu 12.04 LTS, as it has openssl 1.0.1 (slightly
older). These patches only needed very little modifications and solved
the logjam and freak vulns. There are a lot more security related
patches in the Ubuntu package, so these could also be included in
replicant.
If there are any trustworthy testing tools for webview vulnerabilities,
I could also try to make fixes for these. I couldn't find any so far. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patchset.zip
Type: application/zip
Size: 12492 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20150927/4be70b22/attachment.zip>


More information about the Replicant mailing list