Ubuntu
openssl package

Please backport OpenSSL SNI signature algorithms fix.

Bug #1550643 reported by David Benjamin
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Medium
Marc Deslauriers
Trusty
Fix Released
Medium
Marc Deslauriers

Bug Description

If an OpenSSL consumer uses SSL_set_SSL_CTX (very commonly done with SNI), OpenSSL 1.0.1i and earlier lose internal state relating to TLS 1.2 which causes it to forget the peer's digest preferences. The end result is such servers will *only* sign SHA-1 ServerKeyExchanges in TLS 1.2, even if the peer advertises other hashes or even doesn't advertise SHA-1 at all.

See:
https://rt.openssl.org/Ticket/Display.html?id=3560
https://bugzilla.redhat.com/show_bug.cgi?id=1150033
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4e05aedbcab7f7f83a887e952ebdcc5d4f2291e4
http://www.ietf.org/mail-archive/web/tls/current/msg19195.html

Glancing at packages.ubuntu.com, this seems to affect Ubuntu vivid and below. It would be greatly appreciated if you would backport this fix to all applicable releases so Ubuntu servers do not become the limiting factor in someday removing SHA-1 here.

The links above should have reproduction steps you can use to confirm the bug and test the fix. (Note that it requires a build of OpenSSL 1.0.2 to confirm the bug. OpenSSL 1.0.1's s_client doesn't print the necessary information.)

Marc Deslauriers (mdeslaur)
Changed in openssl (Ubuntu Precise):
status: New → Confirmed
Changed in openssl (Ubuntu Trusty):
status: New → Confirmed
Changed in openssl (Ubuntu Precise):
importance: Undecided → Medium
Changed in openssl (Ubuntu Trusty):
importance: Undecided → Medium
Changed in openssl (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in openssl (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in openssl (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1-4ubuntu5.35

---------------
openssl (1.0.1-4ubuntu5.35) precise-security; urgency=medium

  * SECURITY UPDATE: side channel attack on modular exponentiation
    - debian/patches/CVE-2016-0702.patch: use constant-time calculations in
      crypto/bn/asm/x86_64-mont5.pl, crypto/bn/bn_exp.c,
      crypto/perlasm/x86_64-xlate.pl, crypto/constant_time_locl.h.
    - CVE-2016-0702
  * SECURITY UPDATE: double-free in DSA code
    - debian/patches/CVE-2016-0705.patch: fix double-free in
      crypto/dsa/dsa_ameth.c.
    - CVE-2016-0705
  * SECURITY UPDATE: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
    - debian/patches/CVE-2016-0797.patch: prevent overflow in
      crypto/bn/bn_print.c, crypto/bn/bn.h.
    - CVE-2016-0797
  * SECURITY UPDATE: memory leak in SRP database lookups
    - debian/patches/CVE-2016-0798.patch: disable SRP fake user seed and
      introduce new SRP_VBASE_get1_by_user function that handled seed
      properly in apps/s_server.c, crypto/srp/srp.h, crypto/srp/srp_vfy.c,
      util/libeay.num, openssl.ld.
    - CVE-2016-0798
  * SECURITY UPDATE: memory issues in BIO_*printf functions
    - debian/patches/CVE-2016-0799.patch: prevent overflow in
      crypto/bio/b_print.c.
    - CVE-2016-0799
  * debian/patches/preserve_digests_for_sni.patch: preserve negotiated
    digests for SNI when SSL_set_SSL_CTX is called in ssl/ssl_lib.c.
    (LP: #1550643)

 -- Marc Deslauriers <email address hidden> Mon, 29 Feb 2016 08:01:48 -0500

Changed in openssl (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1f-1ubuntu2.18

---------------
openssl (1.0.1f-1ubuntu2.18) trusty-security; urgency=medium

  * SECURITY UPDATE: side channel attack on modular exponentiation
    - debian/patches/CVE-2016-0702.patch: use constant-time calculations in
      crypto/bn/asm/x86_64-mont5.pl, crypto/bn/bn_exp.c,
      crypto/perlasm/x86_64-xlate.pl, crypto/constant_time_locl.h.
    - CVE-2016-0702
  * SECURITY UPDATE: double-free in DSA code
    - debian/patches/CVE-2016-0705.patch: fix double-free in
      crypto/dsa/dsa_ameth.c.
    - CVE-2016-0705
  * SECURITY UPDATE: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
    - debian/patches/CVE-2016-0797.patch: prevent overflow in
      crypto/bn/bn_print.c, crypto/bn/bn.h.
    - CVE-2016-0797
  * SECURITY UPDATE: memory leak in SRP database lookups
    - debian/patches/CVE-2016-0798.patch: disable SRP fake user seed and
      introduce new SRP_VBASE_get1_by_user function that handled seed
      properly in apps/s_server.c, crypto/srp/srp.h, crypto/srp/srp_vfy.c,
      util/libeay.num, openssl.ld.
    - CVE-2016-0798
  * SECURITY UPDATE: memory issues in BIO_*printf functions
    - debian/patches/CVE-2016-0799.patch: prevent overflow in
      crypto/bio/b_print.c.
    - CVE-2016-0799
  * debian/patches/preserve_digests_for_sni.patch: preserve negotiated
    digests for SNI when SSL_set_SSL_CTX is called in ssl/ssl_lib.c.
    (LP: #1550643)

 -- Marc Deslauriers <email address hidden> Mon, 29 Feb 2016 07:56:15 -0500

Changed in openssl (Ubuntu Trusty):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.