[openssl-users] Why openssl 1.0.1p accepts composite $q$ in DSA?

Georgi Guninski guninski at guninski.com
Wed Sep 9 11:15:52 UTC 2015

On Wed, Sep 09, 2015 at 07:03:59AM -0400, Jeffrey Walton wrote:
> On Wed, Sep 9, 2015 at 6:28 AM, Georgi Guninski <guninski at guninski.com> wrote:
> > In short openssl 1.0.1p accepts composite $q$
> > in DSA verify/SSL.
> >
> > If $q$ is backdoored in the DSA/DH group parameters,
> > this breaks all private keys using it (see links at
> > bottom)...
> >
> Just bikeshedding, but before I went any further with it, I would
> verify DSA_check_key(...) does *not* reject the key.

Doesn't the sessions with s_client/s_server and
dsa verify (in the links) show this works in practice,
no matter of your question?

More information about the openssl-users mailing list