Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Updates to OpenSSL fix vulnerabilities related to Logjam - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Updates to OpenSSL fix vulnerabilities related to Logjam

An OpenSSL security advisory issued earlier today on Thursday 2015-06-11 [1].  According to the advisory users should upgrade OpenSSL to fix vulnerabliities that could be exploited by a Logjam attack [2].

The issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.

  • OpenSSL 1.0.2 users should upgrade to 1.0.2b
  • OpenSSL 1.0.1 users should upgrade to 1.0.1n
  • OpenSSL 1.0.0 users should upgrade to 1.0.0s
  • OpenSSL 0.9.8 users should upgrade to 0.9.8zg

Related vulnerabilities from the announcement:

Of note, support for OpenSSL versions 1.0.0 and 0.9.8 will cease at the end of the year on 2015-12-31.  No security updates for 1.0.0 and 0.9.8 will be provided after that.  Users are advised to upgrade to the latest versions of 1.0.1 or 1.0.2.




435 Posts
ISC Handler
Jun 12th 2015
This improves, but does not fix the
client side as it sets the minimum
size DH group to 768 for clients
rather than 1024 or 2048.

Here the logic was modified to require
a minimum size DH group of 1024, patch

One must still generate proper 2048 bit
or larger custom DH groups for servers
per the instructions at

--- ssl/ 2015-06-11 09:50:11.000000000 -0400
+++ ssl/s3_clnt.c 2015-06-11 11:44:59.000000000 -0400
@@ -3558,12 +3558,11 @@
goto f_err;
dh_size = BN_num_bits(dh_srvr->p);

- if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768)
- || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {
+ if (dh_size < 1024) {
goto f_err;
#endif /* !OPENSSL_NO_DH */

34 Posts
This SSL change, pushed out by Ubuntu for 12.04 LTS breaks the Security Onion.!topic/security-onion/E7HdGGUuq6c
Looks like they quickly up-revved to 1.0.2c
12-Jun-2015: New releases to resolve ABI compatibility problems

Sign Up for Free or Log In to start participating in the conversation!