[Ach] openssl again

Kurt Roeckx kurt at roeckx.be
Sun Jan 11 19:58:55 CET 2015

On Sat, Jan 10, 2015 at 10:40:59AM -0800, Seth wrote:
> On Fri, 09 Jan 2015 16:11:41 -0800, L. Aaron Kaplan <kaplan at cert.at> wrote:
> >https://www.openssl.org/news/secadv_20150108.txt
> >
> >*sigh*
> >
> >quote: "ECDHE silently downgrades to ECDH (...) This effectively removes
> >forward secrecy from the ciphersuite."
> I run LibreSSL wherever I can instead of OpenSSL. How would I go about
> determining if this attack also effects LibreSSL?

I see several options:
- You look from statements from libressl about it
  (Couldn't find any good source, the only statements I could find
   seems bogus.)
- You look at the patch and see if it applies.

So I've actually been looking at it.  I see one source that claims
they fixed one of the issues.  (Actually reading what he says
seems to say that fixed all those issues in a single commit.)  But
if you actually look at the patch he points to it fixes a missing
SSLerr() call and doesn't fix anything else.

In fact, for all those issues that I looked at, as far as I can see,
libressl is vulnerable and still didn't fix them.


More information about the Ach mailing list