OBSOLETE Patch-ID# 150120-06


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security kssl
Synopsis: Obsoleted by: 150120-07 SunOS 5.10_x86: kssl patch
Date: Jan/14/2019


Install Requirements: Reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.

Solaris Release: 10_x86

SunOS Release: 5.10_x86

Unbundled Product:

Unbundled Release:

Xref: This patch available for SPARC as patch 150119

Topic: SunOS 5.10_x86: kssl patch

Relevant Architectures: i386

Bugs fixed with this patch:

Sun CR # Bug #
675705115513734
716516215788601
15874245
16224981
16409394
17213052
19492209
19825297
19825374
19828635
22271504
24526034
24687993
24712045
24841091
25115717
28903771


Changes incorporated in this version: 16224981 16409394 28903771

Patches accumulated and obsoleted by this patch:

Patches which conflict with this patch:

Patches required with this patch: 118855-36 120012-14 127128-11 137138-09 144501-19 147148-26 151913-02 (or greater)

Obsoleted by:

Files included with this patch:

/kernel/drv/amd64/kssl
/kernel/drv/kssl
/usr/include/inet/kssl/ksslapi.h
/usr/lib/kssladm
/usr/sbin/ksslcfg

Problem Description:

16224981 Problem with kernel/kssl
16409394 Problem with kernel/kssl
28903771 disable TLS 1.0 in KSSL and make it secure by default
 
(from 150120-05)
 
15513734 SUNBT6757051 ssl/proxy (kssl kernel module) does not generate audit events
24526034 KSSL should stop supporting rsa_des_cbc_sha as DES is an Unacceptable cipher
24687993 KSSL should stop supporting RC4 based cipher suites
24712045 kssl protocol version config should be audited and warned away
24841091 libbsm debug build can be simplified
25115717 backport of 15661330 created audit record discrepancies
 
(from 150120-04)
 
22271504 migrate kssladm to new OpenSSL 1.0.1
 
(from 150120-03)
 
19492209 problem with KSSL
19825297 administrative enable or disable particular supported version of SSL/TLS in KSSL
19825374 problem with KSSL
19828635 uninitialized var 'cnt' in create_kssl_entry()
 
(from 150120-02)
 
15788601 KSSL fails to serve OpenSSL 1.0.1 client
17213052 15788601 breaks OpenSSL 0.9.[78] clients
 
(from 150120-01)
 
15874245 KSSL writes past the dblk buffer if TCP MSS is small


Patch Installation Instructions:
--------------------------------
 
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/123456-07
 
The following example removes a patch from a standalone system:
 
       example# patchrm 123456-07
 
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.


Special Install Instructions:
-----------------------------
 
NOTE 1:  Once this patch is installed, it is necessary to reboot the system
         to activate the fixes.

NOTE 2:  Any previously created KSSL instance that was configured with default
         protocal specification will have all supported protocol versions
         ('SSLv3' and 'TLSv1.0') disabled by default.
         Such KSSL service instance will end up in maintenance mode
         after this patch is applied and after subsequent reboot.

         To continue using the service, the protocol version has to be
         configured. Pre-existing service instances have to be reconfigured
         with ksslcfg(1M) by using command line option '-s' to explicitly
         specify which SSL/TLS protocol versions will be enabled when creating
         new KSSL instance.
 
         ksslcfg(1M) man page update for new option '-s ':
 
                -s versions
 
                    Set of versions of SSL/TLS protocol which are
                    administratively enabled for Kernel SSL proxy
                    module. Recognized values are SSLv3 and TLSv1.0.
                    By default only TLSv1.0 is enabled. Note that
                    the versions are separated by comma and are
                    case-insensitive.

         Services that were previously configured with a protocol version
         will keep working.
 
NOTE 3: In order to deliver the auditing changes for ksslcfg, the following
        lines need to be added to /etc/security/audit_event file:
 
                # ksslcfg(1M) events
                6820:AUE_ksslcfg_create:create kernel SSL instance:as
                6821:AUE_ksslcfg_delete:delete kernel SSL instance:as


README -- Last modified date: Tuesday, April 9, 2019