back to article OpenSSL patch quashes rare HTTPS nasty, shores up crypto chops

OpenSSL maintainers have pushed a pair of patches, crushing a dangerous but uncommon bug that allows HTTPS to be unravelled while also hardening servers against downgrade attacks. Affected servers are open to key recovery attacks only if it runs certain Digital Signature Algorithm and static Diffie-Hellman key exchange …

  1. Bronek Kozicki


    ... this is not seem like silly coding bug, but weakness in the cryptography part. Which of course everyone assumed OpenSSL was doing right, despite other major flaws of the project ...

  2. Dan 55 Silver badge

    I'll ask the question...

    Has this already been fixed in LibreSSL?

    1. Dan 55 Silver badge

      Re: I'll ask the question...

      And I'll answer it... no it is not.

      1. Dan 55 Silver badge

        Re: I'll ask the question...

        What I meant to say was LibreSSL was not affected, not that it has not been fixed.

    2. Tomato42

      Re: I'll ask the question...

      notepad.exe is also not vulnerable to the OpenSSL bugs, that doesn't make it particularly useful crypto library

      (LibreSSL guys aim to not support even a tenth of the features that OpenSSL supports - anything outside very simple web hosting is "out of scope" for them)

      1. Dan 55 Silver badge

        Re: I'll ask the question...

        Odd because it is often used as a drop-in replacement.

  3. Anonymous Coward

    How would this work in the real world? That a heck of a thing to try to do, surely?

  4. Binnacle

    Must be Joking

    OpenSSL should follow the example of CVEs and provide an "impact" rating to go with the "severity" rating. This one qualifies as severity HIGH, impact ZERO.

    Took 20 minutes to figure out how to invoke the vulnerable code:

    openssl genpkey -genparam -algorithm DSA -out dsap.pem -pkeyopt dsa_paramgen_bits:1024 -outform dh_rfc5114

    The number of folks who have employed this are counted on one hand.

  5. druck Silver badge

    Adobe spots bug

    Antonio's work on this is very much appreciated, but can we assume from this that Adobe have fixed all their own bugs, and now have time to scrutinise open source projects?

    1. allthecoolshortnamesweretaken

      Re: Adobe spots bug

      Unlikely. This is probably more along the lines of "it takes one to know one"

  6. JamesSmith1

    "The high severity bug (CVE-2016-0701) revealed by Adobe engineer Antonio Sanso"

    Why is an Adobe engineer working on this? Surely they should be hard at work patching Flash.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022