On 10/09/2020 16:14, Jakob Bohm via openssl-users wrote: > On 2020-09-10 09:03, Tomas Mraz wrote: >> On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote: >>> Wouldn't a more reasonable response for 1.0.2 users have been to >>> force on >>> SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected >>> cipher >>> suites >>> and telling affected people to recompile with the fix off? >> >> You seem to be mixing two different affected things. One is the static >> DH ciphersuites. There is no remediation for these except for not using >> them. Fortunately they are not really used by anyone. This can be >> achieved on the server side by simply not providing the DH certificate. >> On the client side they can be dropped from the ciphers string. This is >> the "deprecating affected cipher suites" change part. >> >> On the other hand the reuse of DH key for ephemeral DH can be only >> disabled by setting SSL_OP_SINGLE_DH_USE by the calling server >> application. This is the part relevant for wider audience. >> >> So yes, both issues can be remediated by application calling the >> OpenSSL library. On the other hand it is not always possible to change >> the application so we also provide fix to premium support customers in >> terms of changing the openssl code. >> > > > The advisory didn't include this clarification, Isn't the text below from the advisory more-or-less what Tomas said? "OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH ciphersuite is used ... Since the vulnerability lies in the TLS specification, fixing the affected ciphersuites is not viable. For this reason 1.0.2w moves the affected ciphersuites into the "weak-ssl-ciphers" list." > and didn't state if > 1.0.2w fixes the DHE case by doing what 1.1.x does and act like > SSL_OP_SINGLE_DH_USE is always set. The advisory says that SSL_OP_SINGLE_DH_USE was made the default in 1.0.2f: "OpenSSL 1.0.2e and below would reuse the DH secret across multiple TLS connections in server processes unless the SSL_OP_SINGLE_DH_USE option was explicitly configured. Therefore all ciphersuites that use DH in servers (including ephemeral DH) are vulnerable in these versions. In OpenSSL 1.0.2f SSL_OP_SINGLE_DH_USE was made the default and it could not be turned off as a response to CVE-2016-0701." Matt
