In association with heise online

08 January 2009, 11:31

OpenSSL accepts forged certificates

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A flaw in the widely used OpenSSL SSL/TLS library can be exploited to lead users to believe that a forged certificate signature is valid. The flaw reportedly allows an SSL connection to be compromised, without any warning to OpenSSL-based clients, using a man-in-the-middle attack. This would allow attackers to listen to the communication.

The problem is caused by DSA and ECDSA keys being checked incorrectly. The Digital Signature Algorithm (DSA) is a signature procedure based purely on discrete logarithms. ECDSA is based on elliptic curves. Both of these algorithms can be used as alternatives to the RSA system.

According to the OpenSSL report, the value returned by the EVP_VerifyFinal function is processed incorrectly by other OpenSSL functions. The advisory from oCERT states that the same applies to the DSA_verify and DSA_do_verify functions. Certificates with RSA keys are not affected. The verification of client certificates by OpenSSL servers for any key type is also not affected. All OpenSSL releases prior to 0.9.8j are vulnerable. Version 0.9.8j no longer contains the vulnerability.

According to the oCERT advisory, the flaw also affects the BIND name server,'s NTP client, and Sun's GridEngine. ISC, the vendor of BIND has already released an update, without which attackers could inject forged name requests even into infrastructures protected by DNSSEC. As a workaround, ISC suggest disabling the DSA and ECDSA algorithms in the configuration.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit