[openssl-users] Why openssl 1.0.1p accepts composite $q$ in DSA?

Viktor Dukhovni openssl-users at dukhovni.org
Wed Sep 9 12:32:37 UTC 2015

On Wed, Sep 09, 2015 at 03:17:01PM +0300, Georgi Guninski wrote:

> If I am CA and sign cert requests with vanilla openssl,
> will I sign a composite $q$?

The "openssl ca" command won't stop you from signing a non-prime
DSA $q$.  Real CAs need to do a lot more than is done in "openssl

No real public CAs issue DSA certificates.  Perhaps some internal
USG CAs issue DSA certificates.

What specific attack did you have in mind?  The MiTM obtains a weak
certificate from a trusted CA?  And then uses static DH_DSS with
a smooth $q$ allowing the attacker to recover the peer's ephemeral
DH private exponent?  What then?  The peer is now performing a
handshake with the authenticated MiTM, where's the attack against
a third party?

To make this interesting (not saying it is impossible, but no
evidence has been provided yet that anything interesting is afoot),
you need a more complete attack description than "OpenSSL accepts
non-prime $q$".


More information about the openssl-users mailing list