However, OpenSSL has the SSL_OP_SINGLE_DH_USE option for ephemeral Diffie-Hellman in TLS. But the option was turned OFF by default that made the server reuse the same private exponent, making it vulnerable to this type of attack.
Fortunately, many mainstream applications, like The Apache Web server that rely on OpenSSL and use Diffie-Hellman, turns ON SSL_OP_SINGLE_DH_USE, causing different private exponents to be used.
OpenSSL said in an advisory
published today that the team has turned ON
SSL_OP_SINGLE_DH_USE option by default. You can go to OpenSSL official blog post to know additional details about the flaw.
Force to Use Weaker SSLv2 Ciphers
The “low severity” vulnerability, CVE-2015-3197 that affects versions 1.0.2 and 1.0.1, has also been patched in the latest release, which allows attackers to force SSLv3 connections through the weaker SSLv2 ciphers.
“A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2,” the team said.
However, the team said that disabling SSLv2 ciphers on your server will not help and that incoming client can still complete SSL handshakes with the server, thereby establishing a non-secure SSLv2 connection.
Remember Logjam Downgrade Flaw?
The project team said the Thursday’s release also contained an enhancement to strengthen cryptography againstLogJam
, an HTTPS-crippling vulnerability in TLS disclosed last May.
Logjam downgrade vulnerability allowed hackers to downgrade Diffie-Hellman-generated encrypted connections between a user and a Web or email server to use extremely weaker 512-bit keys that can be easily decrypted.
The previous patch had increased the limit of Diffie-Hellman parameters to 768 bits, but OpenSSL has now increased this limit to 1,024 bits.
If you are using OpenSSL version 1.0.2, it’s time for you to upgrade to version 1.0.2f. While those still using OpenSSL version 1.0.1 should install version 1.0.1r.
Among other recommendations, Thursday’s OpenSSL advisory also warns that the patch may compromise performance, along with reminding users that support for OpenSSL version 1.0.1 will end at the end of this year, after which no security updates will be available.
However, Support for OpenSSL versions 0.9.8 and 1.0.0 already ended in December.