[Ach] openssl again
Kurt Roeckx
kurt at roeckx.be
Sun Jan 11 19:58:55 CET 2015
On Sat, Jan 10, 2015 at 10:40:59AM -0800, Seth wrote:
> On Fri, 09 Jan 2015 16:11:41 -0800, L. Aaron Kaplan <kaplan at cert.at> wrote:
> >https://www.openssl.org/news/secadv_20150108.txt
> >
> >*sigh*
> >
> >quote: "ECDHE silently downgrades to ECDH (...) This effectively removes
> >forward secrecy from the ciphersuite."
>
> I run LibreSSL wherever I can instead of OpenSSL. How would I go about
> determining if this attack also effects LibreSSL?
I see several options:
- You look from statements from libressl about it
(Couldn't find any good source, the only statements I could find
seems bogus.)
- You look at the patch and see if it applies.
So I've actually been looking at it. I see one source that claims
they fixed one of the issues. (Actually reading what he says
seems to say that fixed all those issues in a single commit.) But
if you actually look at the patch he points to it fixes a missing
SSLerr() call and doesn't fix anything else.
In fact, for all those issues that I looked at, as far as I can see,
libressl is vulnerable and still didn't fix them.
Kurt
More information about the Ach
mailing list