Gentoo Logo

OpenSSL: SSL 2.0 protocol rollback

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200510-11 / OpenSSL
Release Date October 12, 2005
Latest Revision November 07, 2005: 02
Impact low
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
dev-libs/openssl < 0.9.7h >= 0.9.7h, revision >= 0.9.7g-r1, revision >= 0.9.7e-r2 All supported architectures

Related bugreports: #108852

Synopsis

When using a specific option, OpenSSL can be forced to fallback to the less secure SSL 2.0 protocol.

2.  Impact Information

Background

OpenSSL is a toolkit implementing the Secure Sockets Layer, Transport Layer Security protocols and a general-purpose cryptography library.

Description

Applications setting the SSL_OP_MSIE_SSLV2_RSA_PADDING option (or the SSL_OP_ALL option, that implies it) can be forced by a third-party to fallback to the less secure SSL 2.0 protocol, even if both parties support the more secure SSL 3.0 or TLS 1.0 protocols.

Impact

A man-in-the-middle attacker can weaken the encryption used to communicate between two parties, potentially revealing sensitive information.

3.  Resolution Information

Workaround

If possible, disable the use of SSL 2.0 in all OpenSSL-enabled applications.

Resolution

All OpenSSL users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose dev-libs/openssl

4.  References

Print

Page updated October 12, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.