|
An OpenSSL security advisory issued earlier today on Thursday 2015-06-11 [1]. According to the advisory users should upgrade OpenSSL to fix vulnerabliities that could be exploited by a Logjam attack [2]. The issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.
Related vulnerabilities from the announcement: Of note, support for OpenSSL versions 1.0.0 and 0.9.8 will cease at the end of the year on 2015-12-31. No security updates for 1.0.0 and 0.9.8 will be provided after that. Users are advised to upgrade to the latest versions of 1.0.1 or 1.0.2. References: [1] http://openssl.org/news/secadv_20150611.txt |
Brad 341 Posts ISC Handler |
| Subscribe |
Jun 12th 2015 4 years ago |
|
This improves, but does not fix the
client side as it sets the minimum size DH group to 768 for clients rather than 1024 or 2048. Here the logic was modified to require a minimum size DH group of 1024, patch below. One must still generate proper 2048 bit or larger custom DH groups for servers per the instructions at https://weakdh.org/sysadmin.html --- ssl/s3_clnt.c.ar 2015-06-11 09:50:11.000000000 -0400 +++ ssl/s3_clnt.c 2015-06-11 11:44:59.000000000 -0400 @@ -3558,12 +3558,11 @@ goto f_err; dh_size = BN_num_bits(dh_srvr->p); DH_free(dh_srvr); } - if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768) - || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) { + if (dh_size < 1024) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL); goto f_err; } } #endif /* !OPENSSL_NO_DH */ |
Starlight 34 Posts |
| Quote |
Jun 11th 2015 4 years ago |
|
This SSL change, pushed out by Ubuntu for 12.04 LTS breaks the Security Onion.
https://groups.google.com/forum/#!topic/security-onion/E7HdGGUuq6c |
Anonymous |
| Quote |
Jun 12th 2015 4 years ago |
|
Looks like they quickly up-revved to 1.0.2c
12-Jun-2015: New releases to resolve ABI compatibility problems |
Anonymous |
| Quote |
Jun 14th 2015 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!
