Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Bug Encryption

OpenSSL Fixes a High-Severity Flaw That Allowed Crashing of Servers (arstechnica.com) 24

"OpenSSL, the most widely used software library for implementing website and email encryption, has patched a high-severity vulnerability that makes it easy for hackers to completely shut down huge numbers of servers," reports Ars Technica: On Thursday, OpenSSL maintainers disclosed and patched a vulnerability that causes servers to crash when they receive a maliciously crafted request from an unauthenticated end user. CVE-2021-3449, as the denial-of-server vulnerability is tracked, is the result of a null pointer dereference bug. Cryptographic engineer Filippo Valsorda said on Twitter that the flaw could probably have been discovered earlier than now.

"Anyway, sounds like you can crash most OpenSSL servers on the Internet today," he added.

Hackers can exploit the vulnerability by sending a server a maliciously formed renegotiating request during the initial handshake that establishes a secure connection between an end user and a server... The maintainers have rated the severity high. Researchers reported the vulnerability to OpenSSL on March 17. Nokia developers Peter Kästle and Samuel Sapalski provided the fix.

Ars Technica also reports that OpenSSL "fixed a separate vulnerability that, in edge cases, prevented apps from detecting and rejecting TLS certificates that aren't digitally signed by a browser-trusted certificate authority."
This discussion has been archived. No new comments can be posted.

OpenSSL Fixes a High-Severity Flaw That Allowed Crashing of Servers

Comments Filter:
  • LibreSSL (Score:4, Insightful)

    by ArchieBunker ( 132337 ) on Sunday March 28, 2021 @10:36AM (#61208680)

    Why aren't people using LibreSSL instead? It's a fork done by the OpenBSD team so you know the code is audited.

    • Is it a drop-in replacement now? If not, that's probably why. It wasn't back in the day.

    • It's only secure when it's run on OpenBSD. If you use it on Linux or anything else you have a major security problem.
    • Why aren't people using LibreSSL instead? It's a fork done by the OpenBSD team so you know the code is audited.

      LibreSSL does not have the features I need and OpenSSL is better maintained. If you look at patches they are mostly flowing from OpenSSL to LibreSSL not the other way around.

      Look at the release notes for LibreSSL which addressed this same issue. It's a one liner. OpenSSL explains the issue in detail.

      OpenSSL has also invested effort in major re-organization with v3. LibreSSL has focused on feature removal and low level changes.

      • OpenSSL is better maintained.

        The fact that both Google and OpenBSD independently decided it was worth the trouble to fork it seems to argue against this point.

        • The fact that both Google and OpenBSD independently decided it was worth the trouble to fork it seems to argue against this point.

          My comment was OpenSSL is better maintained than LibreSSL.

          Google is using BoringSSL not LibreSSL.

          It is not possible to use the fact Google is using its own fork of OpenSSL to draw ANY rational comparative conclusions between OpenSSL and LibreSSL. This would be a non-sequitur.

          What is evident is that OpenSSL does not directly meet everyone's needs.

          BoringSSL is explicitly not intended for general use.

        • OpenBSD forked because they had a temper tantrum when heartbleed hit about OpenSSL's insanely large support for legacy systems. It was very much a knee jerk with the promise of major security enhancements, but all they did was gut code from older architectures. End result they actually have thus far been affected by every CVE that OpenSSL has, all the while their project seems to be running in maintenance mode simply incorporating patches from upstream.

          Google forked because they are Google and that's what t

        • by hrieke ( 126185 )

          Have you ever looked at Google's BoringSSL?
          Scratch that, my actual question is have you ever audited BoringSSL?
          Any code that does anything important (Cryptography) is OpenSSL under the OpenSSL license.
          Google trimmed the stuff they did not want or need, created their own header files for their interfaces. This is for them, in fact they say as much in the readme.
          Worse, in my opinion, they hid the release version of OpenSSL in one of their files, so unless you know where to look, you really do not know which

    • Why aren't people using LibreSSL instead? It's a fork done by the OpenBSD team so you know the code is audited.

      Most people aren't rolling their own code, so they're stuck with whatever their OS provides for them. macOS has been using LibreSSL for a number of years; but RHEL and most other Linux distros are still on openssl - I have to wonder if that's GNU politics more than anything else.

    • Because it's not compatible with anything. LibreSSL is far far from a drop-in replacement. This is why most projects that tried to switch to LibreSSL from OpenSSL eventually gave up and reverted back. They had to maintain too many patches and LibreSSL was too much of a moving target.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...