[openssl-users] Why openssl 1.0.1p accepts composite $q$ in DSA?

Jeffrey Walton noloader at gmail.com
Wed Sep 9 11:45:16 UTC 2015

Hi Georgi,

Sorry to go offlist...

Also keep in mind that the IETF has effectively deprecated the DH
parameters in PKIX certificates. In fact, they moved to fixed DH
groups to avoid the option dance between client and server; and that
has the benefit that the parameters can be validated offline. As for
DSA, the IETF is killing it off, too.

See, for example,
https://tools.ietf.org/html/draft-gillmor-tls-negotiated-dl-dhe-00 and
(archive of latter at


On Wed, Sep 9, 2015 at 6:28 AM, Georgi Guninski <guninski at guninski.com> wrote:
> In short openssl 1.0.1p accepts composite $q$
> in DSA verify/SSL.
> If $q$ is backdoored in the DSA/DH group parameters,
> this breaks all private keys using it (see links at
> bottom).
> On linux:
> $./apps/openssl s_server -accept 8080 -cert /tmp/cacert2.pem -key
> /tmp/key-comp2.key
> $./apps/openssl s_client -connect localhost:8080
> Verify return code: 18 (self signed certificate)
> $./apps/openssl x509 -text -in /tmp/cacert2.pem
> (make Q hex).
> In sage:
> sage: q=0x008000000000000000001d8000000000000000012b
> sage: factor(q)
> 604462909807314587353111 * 1208925819614629174706189
> The self signed cert and key are attached.
> The discussion started on cypherpunks:
> https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
> On my blog I summarized with title:
> RFC-2631, fips 186-3 and openssl's implementation of DSA appear broken
> (and possibly backdoored)
> https://j.ludost.net/blog/archives/2015/09/05/rfc-2631_fips_186-3_and_openssls_implementation_of_dsa_appear_broken_and_possibly_backdoored/index.html

More information about the openssl-users mailing list