Bug 1150033
Summary: | OpenSSL selects weak digest for (EC)DH kex signing in TLSv1.2 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Alicja Kario <hkario> |
Component: | openssl | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED ERRATA | QA Contact: | Alicja Kario <hkario> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | fweimer, qe-baseos-security, sardella, tmraz |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openssl-1.0.1e-40.el7 | Doc Type: | Bug Fix |
Doc Text: |
No doc text needed
|
Story Points: | --- |
Clone Of: | 1150032 | Environment: | |
Last Closed: | 2015-03-05 11:04:28 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1057566 |
Description
Alicja Kario
2014-10-07 09:53:25 UTC
The problem is that the second SSL context that is used when the server receives the servername extension does not have full copy of settings from the main context. Namely the tls1_process_sigalgs() is not properly called for it. It is fairly nontrivial to fix this but I'll try to report it upstream. Reported upstream: http://rt.openssl.org/Ticket/Display.html?id=3559&user=guest&pass=guest Second upstream bug: https://rt.openssl.org/Ticket/Display.html?id=3560&user=guest&pass=guest Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0478.html |