OpenSSL Security Advisory

Jakob Bohm jb-openssl at
Wed Sep 9 20:26:00 UTC 2020

On 2020-09-09 14:39, OpenSSL wrote:
> OpenSSL Security Advisory [09 September 2020]
> =============================================
> Raccoon Attack (CVE-2020-1968)
> ==============================
> Severity: Low
> The Raccoon attack exploits a flaw in the TLS specification which can lead to
> an attacker being able to compute the pre-master secret in connections which
> have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would
> result in the attacker being able to eavesdrop on all encrypted communications
> sent over that TLS connection. The attack can only be exploited if an
> implementation re-uses a DH secret across multiple TLS connections. Note that
> this issue only impacts DH ciphersuites and not ECDH ciphersuites.
> OpenSSL 1.1.1 is not vulnerable to this issue: it never reuses a DH secret and
> does not implement any "static" DH ciphersuites.
> OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH
> ciphersuite is used. These static "DH" ciphersuites are ones that start with the
> text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA names for these
> ciphersuites all start with "TLS_DH_" but excludes those that start with
> "TLS_DH_anon_".
> OpenSSL 1.0.2e and below would reuse the DH secret across multiple TLS
> connections in server processes unless the SSL_OP_SINGLE_DH_USE option was
> explicitly configured. Therefore all ciphersuites that use DH in servers
> (including ephemeral DH) are vulnerable in these versions. In OpenSSL 1.0.2f
> SSL_OP_SINGLE_DH_USE was made the default and it could not be turned off as a
> response to CVE-2016-0701.
> Since the vulnerability lies in the TLS specification, fixing the affected
> ciphersuites is not viable. For this reason 1.0.2w moves the affected
> ciphersuites into the "weak-ssl-ciphers" list. Support for the
> "weak-ssl-ciphers" is not compiled in by default. This is unlikely to cause
> interoperability problems in most cases since use of these ciphersuites is rare.
> Support for the "weak-ssl-ciphers" can be added back by configuring OpenSSL at
> compile time with the "enable-weak-ssl-ciphers" option. This is not recommended.
> OpenSSL 1.0.2 is out of support and no longer receiving public updates.
> Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2w.  If
> upgrading is not viable then users of OpenSSL 1.0.2v or below should ensure
> that affected ciphersuites are disabled through runtime configuration. Also
> note that the affected ciphersuites are only available on the server side if a
> DH certificate has been configured. These certificates are very rarely used and
> for this reason this issue has been classified as LOW severity.
> This issue was found by Robert Merget, Marcus Brinkmann, Nimrod Aviram and Juraj
> Somorovsky and reported to OpenSSL on 28th May 2020 under embargo in order to
> allow co-ordinated disclosure with other implementations.
> Note
> ====
> OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
> support is available for premium support customers:
> OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
> The impact of this issue on OpenSSL 1.1.0 has not been analysed.
> Users of these versions should upgrade to OpenSSL 1.1.1.
> References
> ==========
> URL for this Security Advisory:
> Note: the online version of the advisory may be updated with additional details
> over time.
> For details of OpenSSL severity classifications please see:
Wouldn't a more reasonable response for 1.0.2 users have been to force on
SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected cipher 
and telling affected people to recompile with the fix off?


Jakob Bohm, CIO, Partner, WiseMo A/S.
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list