OpenSSL Security Advisory

Matt Caswell matt at openssl.org
Thu Sep 10 15:28:07 UTC 2020 


On 10/09/2020 16:14, Jakob Bohm via openssl-users wrote:
> On 2020-09-10 09:03, Tomas Mraz wrote:
>> On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote:
>>> Wouldn't a more reasonable response for 1.0.2 users have been to
>>> force on
>>> SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected
>>> cipher
>>> suites
>>> and telling affected people to recompile with the fix off?
>>
>> You seem to be mixing two different affected things. One is the static
>> DH ciphersuites. There is no remediation for these except for not using
>> them. Fortunately they are not really used by anyone. This can be
>> achieved on the server side by simply not providing the DH certificate.
>> On the client side they can be dropped from the ciphers string. This is
>> the "deprecating affected cipher suites" change part.
>>
>> On the other hand the reuse of DH key for ephemeral DH can be only
>> disabled by setting SSL_OP_SINGLE_DH_USE by the calling server
>> application. This is the part relevant for wider audience.
>>
>> So yes, both issues can be remediated by application calling the
>> OpenSSL library. On the other hand it is not always possible to change
>> the application so we also provide fix to premium support customers in
>> terms of changing the openssl code.
>>
> 
> 
> The advisory didn't include this clarification,

Isn't the text below from the advisory more-or-less what Tomas said?

"OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH
ciphersuite is used
...
Since the vulnerability lies in the TLS specification, fixing the
affected ciphersuites is not viable. For this reason 1.0.2w moves the
affected ciphersuites into the "weak-ssl-ciphers" list."


> and didn't state if
> 1.0.2w fixes the DHE case by doing what 1.1.x does and act like
> SSL_OP_SINGLE_DH_USE is always set.

The advisory says that SSL_OP_SINGLE_DH_USE was made the default in 1.0.2f:

"OpenSSL 1.0.2e and below would reuse the DH secret across multiple TLS
connections in server processes unless the SSL_OP_SINGLE_DH_USE option
was explicitly configured. Therefore all ciphersuites that use DH in
servers (including ephemeral DH) are vulnerable in these versions. In
OpenSSL 1.0.2f SSL_OP_SINGLE_DH_USE was made the default and it could
not be turned off as a response to CVE-2016-0701."

Matt

More information about the openssl-users mailing list