Full Disclosure mailing list archives
Re: RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e
From: coderman <coderman () gmail com>
Date: Mon, 16 Dec 2013 19:27:34 -0800
On Sat, Dec 14, 2013 at 4:33 AM, coderman <coderman () gmail com> wrote:
... if you are using an application linked with openssl-1.0.1-beta1 through openssl-1.0.1e you should do one of the following:
updated list with env suggestion: a.) rebuild your OpenSSL with OPENSSL_NO_RDRAND defined b.) call ENGINE_unregister_RAND() on "rdrand" engine followed by ENGINE_register_all_complete() to unregister rdrand as default c.) set OPENSSL_ia32cap="~0x4000000000000000" in global environment (this is poor fix) d.) git pull latest openssl with commit: "Don't use rdrand engine as default unless explicitly requested." - Dr. Stephen Henson "what is affected??" - someone sorry, i am not your distro maintainer. but the list includes, potentially (depending on configure opts / runtime / etc): RHEL 6.5, 7.0 Centos 6.5 Fedora 18,19,rawhide Ubuntu 12.04, 12.10, 13.04, 13.10, trusty Debian 7.0, jessie, sid Gentoo stable&unstable Knoppix 7.0.5, 7.2.0 Kali 1.0.5 Slackware 14, 14.1, current ... if ssh built with --with-ssl-engine. these all use OpenSSL 1.0.1+. (remember both ssh client and server may use engines!) and other libs, like: M2Crypto libpam-sshagent-auth encfs ... which appear to use OpenSSL default engines. but really, you should go check your shit. best regards, P.S. if anyone is aware of RDRAND engine backports to OpenSSL 1.0.0* or 0.9.8* in any distros i'd like to know about it! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e coderman (Dec 14)
- Message not available
- Re: RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e coderman (Dec 14)
- Re: RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e coderman (Dec 16)