Under certain conditions an OpenSSL 1.0.2 client can complete a handshake with an unseeded PRNG. The conditions are:
- The client is on a platform where the PRNG has not been seeded automatically, and the user has not seeded manually
- A protocol specific client method version has been used (i.e. not SSL_client_methodv23)
- A ciphersuite is used that does not require additional random data from the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
If the handshake succeeds then the client random that has been used will have
been generated from a PRNG with insufficient entropy and therefore the output
may be predictable.
For example using the following command with an unseeded openssl will succeed on an unpatched platform:
openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
This issue affects OpenSSL version 1.0.2, and is fixed in version 1.0.2a.
Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Matt Caswell of the OpenSSL development team as the original reporter.
This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5, 6, and 7.