Re: [openssl-project] Constant time by default

[Salz, Rich]

I think this is a great idea, but that it is way too late for this release.  We 
really should be concentrating on testing and fixes, and open PR's and other 
release criteria.  Ideally the release goes out in a month (IETF RFC editor 
willing)

___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

[openssl-project] Constant time by default

[Matt Caswell]

I'd like to draw everyone's attention to PR #5969

Given CVE-2018-0737, and the fact that this is far from the first time
this has happened I think we should change the default so that we always
use the constant time implementation unless specifically flagged
otherwise. E.g see these issues:

54f007a (CVE-2018-0737)
8db7946
e913d11
6364475
6364475
3de81a5
47ae05b
033dc8f
3999446 (CVE-2016-2178)

As I say in the PR (marked as WIP) I am seeking feedback as to whether
this is something we should pursue now (i.e. for 1.1.1) or later (post
1.1.1) or not at all.

Matt


___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

[openssl-project] OpenSSL Security Advisory

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


OpenSSL Security Advisory [16 Apr 2018]


Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)


Severity: Low

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a
cache timing side channel attack. An attacker with sufficient access to mount
cache timing attacks during the RSA key generation process could recover the
private key.

Due to the low severity of this issue we are not issuing a new release of
OpenSSL 1.1.0 or 1.0.2 at this time. The fix will be included in OpenSSL 1.1.0i
and OpenSSL 1.0.2p when they become available. The fix is also available in
commit 6939eab03 (for 1.1.0) and commit 349a41da1 (for 1.0.2) in the OpenSSL git
repository.

This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
The fix was developed by Billy Brumley.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20180416.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJa1MKgAAoJENnE0m0OYESRKOoIAKmRnj0YtE1y89WnRiCjMk8l
Z7XAsPk6nkEa8dlrEvEsUhS90CFSf9OcYliAlfjD/+RVZXXeK4AHn8/g7HxAdDcK
62biQiHbxICBqnrE6DCe6GrMXEy3MWuefSWnoTyd/x8W1grjdhkrlmIqe68DP0iv
WItmStRVOpx4mQDcrYqw6ZKhhu1Lv007khyAornJP+S6NSlK6brdNQyRNmp3+HO4
irqPi6xQWGcaAtrdpWi8mDnomld75j5m+G98N/gCqaCAIn7Zau+kAAW1+1dO5S4L
tsQ0CifVnRfUTz0cCL51L8G3a3RWYs34AXRZvSRi3q88AiZ1L6FCF2cHZJu1KuE=
=+TYO
-END PGP SIGNATURE-
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

Re: [openssl-project] The problem of (implicit) relinking and changed behaviour

[Viktor Dukhovni]

> On Apr 16, 2018, at 6:00 AM, Matt Caswell  wrote:
> 
> That's not entirely true. This works:
> 
> $ openssl s_server -cert dsacert.pem -key dsakey.pem -cipher ALL:@SECLEVEL=0
> $ openssl s_client -no_tls1_3 -cipher ALL@SECLEVEL=0
> 
> This doesn't:
> 
> $ openssl s_server -cert dsacert.pem -key dsakey.pem -cipher ALL:@SECLEVEL=0
> $ openssl s_client -cipher ALL@SECLEVEL=0
> 
> 139667082474432:error:14201076:SSL routines:tls_choose_sigalg:no
> suitable signature algorithm:ssl/t1_lib.c:2484:
> 
> We do not allow DSA certs in TLSv1.3.

It is largely time we did not allow them in TLS 1.2 either, nobody
uses them, but perhaps "nobody" == USG?

-- 
Viktor.

___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project