[Replicant] [PATCHES] SSL related issues

Kurtis Hanna kurtis at riseup.net
Mon Nov 9 23:57:49 UTC 2015


Did anyone have time to review these patches?

On Sun, 27 Sep 2015 23:17:18 +0200
Wolfgang Wiedmeyer <wreg at wiedmeyer.de> wrote:

> My Self provided in the following post an overview of the different ssl/tls
> issues with different android browsers: https://redmine.replicant.us/boards/39/topics/8007?r=9081#message-9081
> You can do the test from ssllabs yourself here: https://www.ssllabs.com/ssltest/viewMyClient.html
> For the stock android browser the following problems get reported:
> - no support for TLS version > 1.0
> - affected by logjam and freak vulnerability
> - vulnerable to poodle attack or more general: SSL version 3 is not
> disabled
> - weak RC4 ciphers are enabled
> - no OCSP stapling
> 
> Except for OCSP stapling I was able fix all issues so that the test for them
> passes. The patches for disabling SSLv3, enabling TLSv1.1 and
> TLSv1.2 and removal of weak RC4 ciphers was completely written by myself, so
> please review these patches carefully! I cannot guarantee that the
> implementation is complete or without bugs, nor am I a security expert
> or familiar with the code base. I just sat down and tried to fix these
> issues.
> Replicant has openssl version 1.0.1c and it is not easy to find working
> patches for recent vulnerabilities for such an old version. I was able
> to use patches for Ubuntu 12.04 LTS, as it has openssl 1.0.1 (slightly
> older). These patches only needed very little modifications and solved
> the logjam and freak vulns. There are a lot more security related
> patches in the Ubuntu package, so these could also be included in
> replicant.
> If there are any trustworthy testing tools for webview vulnerabilities,
> I could also try to make fixes for these. I couldn't find any so far. 



More information about the Replicant mailing list