On Wed, Jan 07, 2009 at 07:46:59PM -0700, Thomas J. Hruska wrote:
> I forgot to ask earlier today, but does the security vulnerability
> affect 0.9.7m?
Yes, but only in the unlikely case that you operate clients that establish
authenticated sessions with servers that use DSA certificates. This said,
vendors such as Redhat have issued updated 0.9.6 and 0.9.7 packages
for older platforms.
The ciphers in question are:
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
you could disable these ciphers if DSA (aka DSS) support is not required.
A 0.9.7 client with a cipherlist of "DEFAULT:!aDSS" would not be vulnerable
(but would also not inter-operate with DSA servers).
In a sample of ~384,000 STARTTLS mail deliveries, only 11 deliveries
used "DSS" certificates. This represents ~27,000 unique SMTP server
IP addresses of which only 6 had DSS certificates. All 6 certificates
were self-signed (so already no MITM protection for most clients).
SMTP traffic is of course an atypical sample, web client data is perhaps
more interesting.
Another caveat is that in this sample aNULL ciphers were used whenever
available (mostly opportunistic TLS with peer Postfix 2.3+ servers,
as other MTAs typically don't enable anonymous TLS by default). So some
servers could have had DSS certificates that went unobserved. There were
~58,000 anonymous (ADH) deliveries to ~2900 distinct SMTP IP addresses.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
