It was reported that OpenSSL 0.9.8g (only in the 32-bit build) was vulnerable to a bug where, in extremely rare instances, the bug would cause incorrect computation of finite field operations when using NIST elliptic curves P-256 or P-384. This flaw could allow for the retrieval of a TLS server's private key. A paper was published [1] describing the attack. There are some very specific pre-requisites for a successful attack: - OpenSSL 0.9.8g (32-bit build) - use of NIST elliptic curve P-256 and/or P-384 - the use of ECDH family ciphers and/or the use of ECDHE family ciphers *and* the lack of SSL_OP_SINGLE_ECDH_USE context option This bug is corrected in OpenSSL >= 0.9.8h and does not affect earlier versions of OpenSSL than 0.9.8g. A series of patches [2] fix this upstream (starting with r.1.15). [1] http://eprint.iacr.org/2011/633 [2] http://cvs.openssl.org/rlog?f=openssl%2Fcrypto%2Fbn%2Fbn_nist.c
(In reply to comment #0) > A series of patches [2] fix this upstream (starting with r.1.15). > > [2] http://cvs.openssl.org/rlog?f=openssl%2Fcrypto%2Fbn%2Fbn_nist.c Related upstream bug report: http://rt.openssl.org/Ticket/Display.html?id=1593&user=guest&pass=guest which indicated last related revision is 1.20 / 1.21, i.e. mentioned series of patches should include following commits: http://cvs.openssl.org/chngview?cn=16985 http://cvs.openssl.org/chngview?cn=17029 http://cvs.openssl.org/chngview?cn=17030 http://cvs.openssl.org/chngview?cn=17077 http://cvs.openssl.org/chngview?cn=17078 http://cvs.openssl.org/chngview?cn=17081 http://cvs.openssl.org/chngview?cn=17085 Cumulative bn_nist.c patch: http://cvs.openssl.org/filediff?f=openssl/crypto/bn/bn_nist.c&v1=1.14&v2=1.21
Statement: This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6 as they did not include support for the ECDH or ECDHE ciphers.