[openssl-users] openSSL and SLOTH attack

Jakob Bohm jb-openssl at wisemo.com
Mon Jan 11 20:38:05 UTC 2016

On 08/01/2016 18:43, Salz, Rich wrote:
> Are you going to keep posting and posting until you get a response? :(
> Master branch, 1.1, is not released but will not be vulnerable (may already be fixed)
> 1.0.2 is not vulnerable.
> 1.0.1f and later are not vulnerable.
> 1.0.0 might be, and is end of life anyway so you should move of that.
> 0.9.8 is also end of life, but does not do TLS 1.2 so is not vulnerable.
If you read the description of SLOTH (linked in the OP), you
will see that it is not limited to TLS 1.2 and probably
affects the TLS/SSL versions implemented by older (end of
life) OpenSSL versions such as 0.9.8.

Basically, it is a laundry list of ways that backward
compatible hash uses in the SSL/TLS protocols are weaker
than some people assume.  Their summary list doesn't even
consider the possibility that some people still need to use
TLS 1.1 or older, so barely mentions those.

This also means that completely protecting an
implementation against SLOTH is not possible without
breaking interoperability with implementations that
are not or cannot be updated to the latest protocol
versions and features (This happens to include some
widely deployed embedded operating systems).

Now it so happens that SLOTH also includes an attack on
implementation bugs that can be tricked into
using/accepting MD5-based signatures when they shouldn't.
  That *particular* aspect of SLOTH was apparently fixed
in 1.0.1f and 1.0.2.

The entire discussion would have been easier if the SLOTH
team at INRIA had given specific names and CVE ids for
each of the issues in their report, such that one might say
"SLOTH-1: Never vulnerable, SLOTH-2: Fixed in 1.0.1f, SLOTH-3:
hypothetical for now, can be fixed with a cipher string
setting, etc. etc."  But no such names exist.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160111/c2938986/attachment.html>

More information about the openssl-users mailing list