1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenSSL security issues (2013/02/05)

Discussion in 'Tomato Firmware' started by koitsu, Feb 8, 2013.

  1. koitsu

    koitsu Network Guru Member

    Just disclosed:


    Before considering upgrading OpenSSL to a new version, please read the entire thread below which confirms there is a major regression issue:


    Remember: when upgrading OpenSSL, all programs which link to it need to be rebuilt. OpenSSL is notorious for changing calling semantics between minor versions, so you cannot just upgrade libraries and expect existing binaries to work correctly.

    I don't know how to check the OpenSSL version on TomatoUSB, because the openssl version command does not work (?!?!?).

    Good luck!
  2. Mangix

    Mangix Networkin' Nut Member

    the version on shibby's builds at least is 1.0.1c.

    edit: I should point out. The security issue is just a timing attack on CBC mode(the MAC actually).

    It affects nothing else(yet).
  3. koitsu

    koitsu Network Guru Member

    Absolutely right. Thanks as usual for your insights and good comments, Mangix. Greatly appreciated.
  4. gfunkdave

    gfunkdave LI Guru Member

  5. Mangix

    Mangix Networkin' Nut Member

  6. mstombs

    mstombs Network Guru Member

  7. eahm

    eahm LI Guru Member

  8. leandroong

    leandroong Addicted to LI Member

    Shibby FW, OpenSSL 1.0.1c 10 May 2012. Will test upgrading my entware optware installed.
  9. Mangix

    Mangix Networkin' Nut Member

    Upon investigating further, this attack is pointless.

    It requires 2^19 SSL sessions to be made(2^23 if SHA256 is used which is TLS 1.2). It also requires very precise timing measurements which basically means this is an attack that only works on the LAN side and not then WAN side. If someone is on the LAN, there are more serious problems.
  10. leandroong

    leandroong Addicted to LI Member

    Compiled done. Will replace entware optware "libopenssl - 1.0.1c-1" to "liboepenssl - 1.0.1e-1". I wonder if I should install openssl-utils_1.0.1e-1 also? It seems not need by transmission optware. Will observe warning regression effect on transmission ...
  11. leandroong

    leandroong Addicted to LI Member

    on tramssmission GUI, I observed immediate downloading... Max peers immedate detection and faster dl.

Share This Page