New release of OpenSSL [1] fixes the following bug: Fix bug where an OpenSSL client would accept a handshake using an ephemeral ECDH ciphersuites with the server key exchange message omitted. Upstream patches: - master: https://github.com/openssl/openssl/commit/b15f8769644b00ef7283521593360b7b2135cb63 - 0.9.8: https://github.com/openssl/openssl/commit/e42a2abadc90664e2615dc63ba7f79cf163f780a - 1.0.1: https://github.com/openssl/openssl/commit/ef28c6d6767a6a30df5add36171894c96628fe98 [1]: https://www.openssl.org/news/changelog.html
Upstream commit that looks to fix the problem: https://github.com/openssl/openssl/commit/b15f8769644b00ef7283521593360b7b2135cb63 External References: https://www.openssl.org/news/secadv_20150108.txt
I am not sure whether this affects also the ephemeral DH ciphersuites or not. The patch adds the requirement for ServerKeyExchange message for ephemeral DH as well.
Statement: This issue does not affect the version of openssl and openssl097a as shipped with Red Hat Enterprise Linux 5. This issue does not affect the version of openssl098e as shipped with Red Hat Enterprise Linux 6 and 7.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2015:0066 https://rhn.redhat.com/errata/RHSA-2015-0066.html