[openssl-users] Why openssl 1.0.1p accepts composite $q$ in DSA?

Viktor Dukhovni openssl-users at dukhovni.org
Wed Sep 9 11:55:36 UTC 2015

On Wed, Sep 09, 2015 at 02:46:05PM +0300, Georgi Guninski wrote:

> Is this ``issue'' real or imaginary according to developers, developers,
> developers(!) ?

On Wed, Sep 09, 2015 at 01:28:42PM +0300, Georgi Guninski wrote:

> In short openssl 1.0.1p accepts composite $q$
> in DSA verify/SSL.
> On my blog I summarized with title:
> RFC-2631, fips 186-3 and openssl's implementation of DSA appear broken
> (and possibly backdoored)
> https://j.ludost.net/blog/archives/2015/09/05/rfc-2631_fips_186-3_and_openssls_implementation_of_dsa_appear_broken_and_possibly_backdoored/index.html

The backdoor assertion looks wrong, the check on the bit-length of
q is correct as required by the standards, and the subgroups in
question are not "small", rather they are commensurate with the
expected security level.  As for running primality tests, presumably
certificates signed by a trusted CA use a prime q.  If the certificate
is *not* signed by a trusted CA, of course the connection is not

You forgot to include the full context from the standard:


   Whether agents provide validation information in their certificates
   is a local matter between the agents and their CA.

The expected time for this sort of check is when CAs sign certificates,
not when TLS handshake participants validate the certificates of
their peers (issued by trusted issuers, or else why bother).


More information about the openssl-users mailing list