OpenSSL fixes high-severity key recovery hole

Developers of the popular OpenSSL cryptographic library have closed a vulnerability that could potentially allow attackers to steal the digital keys used to decrypt HTTPs and TLS secured communications.

Adobe engineer Antonio Sanso discovered the flaw, which is rated as high severity by OpenSSL.

The attack requires multiple handshakes to be completed with a vulnerable OpenSSL peer that uses the same Diffie-Hellman exponent. Diffie-Hellman on OpenSSL must also be configured with parameters based on primes that are not safe to use for the attack to succeed, Sanso wrote.

Sanso reported the flaw to OpenSSL on January 13. The United States Computer Emergency Response Team (CERT) has also issued an alert about the vulnerability.

Users are advised to upgrade to OpenSSL 1.0.1r and 1.0.2f as soon as possible. It is also possible to enable the SSL_OP_SINGLE_DH_USE option to prevent primes being reused in the Diffie-Hellman protocol.

OpenSSL also strengthened the mitigation against the "Logjam" vulnerability discovered last year, which allowed attackers to downgrade Transport Layer Security (TLS) protected connections that used ephemeral Diffie-Hellman key exchanges, to weak, 512-bit export-grade cryptography.

The new versions of OpenSSL will now reject handshakes with Diffie-Hellman parameters shorter than 1024 bits, up from 768 bits, so as to offer stronger cryptographic assurance.

A low severity bug that could allow malicious clients to negotiate SSL version 2 ciphers disabled on servers and complete handshakes for the older protocol has also been fixed in OpenSSL 1.0.2f and 1.0.1r.