Re: RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e

[coderman <coderman () gmail com>]

On Sat, Dec 14, 2013 at 4:33 AM, coderman <coderman () gmail com> wrote:
> ...
> if you are using an application linked with openssl-1.0.1-beta1
> through openssl-1.0.1e you should do one of the following:


updated list with env suggestion:

a.) rebuild your OpenSSL with OPENSSL_NO_RDRAND defined

b.) call ENGINE_unregister_RAND() on "rdrand" engine followed by
ENGINE_register_all_complete() to unregister rdrand as default

c.) set OPENSSL_ia32cap="~0x4000000000000000" in global environment
(this is poor fix)

d.) git pull latest openssl with commit: "Don't use rdrand engine as
default unless explicitly requested." - Dr. Stephen Henson



"what is affected??" - someone

sorry, i am not your distro maintainer.  but the list includes,
potentially (depending on configure opts / runtime / etc):
RHEL 6.5, 7.0
Centos 6.5
Fedora 18,19,rawhide
Ubuntu 12.04, 12.10, 13.04, 13.10, trusty
Debian 7.0, jessie, sid
Gentoo stable&unstable
Knoppix 7.0.5, 7.2.0
Kali 1.0.5
Slackware 14, 14.1, current
... if ssh built with --with-ssl-engine. these all use OpenSSL 1.0.1+.
 (remember both ssh client and server may use engines!)

and other libs, like:
M2Crypto
libpam-sshagent-auth
encfs
... which appear to use OpenSSL default engines.


but really, you should go check your shit.



best regards,


P.S. if anyone is aware of RDRAND engine backports to OpenSSL 1.0.0*
or 0.9.8* in any distros i'd like to know about it!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/