[openssl-users] openSSL and SLOTH attack

Jakob Bohm jb-openssl at wisemo.com
Thu Jan 7 21:32:23 UTC 2016

On 07/01/2016 16:46, Michael Wojcik wrote:
> As described on that web page, use OpenSSL 1.0.1f or later. That  prevents the currently-practical SLOTH attack against RSA-MD5 client authentication.
> If you're using an OpenSSL release earlier than 1.0.1f, SLOTH is probably not your biggest problem.
> The authors recommend discontinuing use of MD5 and SHA-1 in general. So does nearly everyone else. Really the risk of continuing to support MD5 and SHA-1 can only meaningfully be evaluated in the context of your own threat model; but either you already know that, or you don't know what your threat model is, in which case the safe move is to drop support for MD5 and SHA-1 as soon as you can.
The above is not a very accurate summary.

In particular, the following would be a clearer summary:

1. Whenever possible, configure both servers and clients
   to avoid using MD5 or SHA-1 alone.

2. My suggestion: If it is necessary to retain SHA-1
   support due to some correspondents stuck with older
   weak algorithms (looking at you Microsoft!), then
   isolate it as much as possible, e.g. with different
   certificates etc.

3. If possible, configure servers and clients to not
   choose encryption modes where the TLS handshake is
   confirmed using only 96 bits of the relevant HMAC.

4. Do not use the "official" tls-unique token to bind
   something to a TLS handshake, it is unsuited to purpose,
   even with the recent extension of its format.
    My suggestion:  Instead do a strong hash (SHA-256 or
   better) of the complete handshake (all handshake
   messages in both directions, including record headers).


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list