(credit: Ben Hudson)
Maintainers of the OpenSSL cryptographic code library have fixed a high-severity vulnerability that made it possible for attackers to obtain the key that decrypts communications secured in HTTPS and other transport layer security channels.
While the potential impact is high, the vulnerability can be exploited only when a variety of conditions are met. First, it's present only in OpenSSL version 1.0.2. Applications that rely on it must use groups based on the digital signature algorithm to generate ephemeral keys based on the Diffie Hellman key exchange. By default, servers that do this will reuse the same private Diffie-Hellman exponent for the life of the server process, and that makes them vulnerable to the key-recovery attack. DSA-based Diffie-Hellman configurations that rely on a static Diffie-Hellman ciphersuite are also susceptible.
Fortunately, the requirements don't appear to be met by many mainstream applications that rely on OpenSSL and use DSA-based Diffie-Hellman. The Apache Web server, for instance, turns on the SSL_OP_SINGLE_DH_USE option, which causes different private exponents to be used. The OpenSSL-derived BoringSSL code library, meanwhile, got rid of SSL_OP_SINGLE_DH_USE support a few months ago, and LibreSSL deprecated it earlier this week. The applications and libraries may still be vulnerable when using a static ciphersuite, however.