RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e
coderman
coderman at gmail.com
Mon Dec 16 19:27:34 PST 2013
On Sat, Dec 14, 2013 at 4:33 AM, coderman <coderman at gmail.com> wrote:
> ...
> if you are using an application linked with openssl-1.0.1-beta1
> through openssl-1.0.1e you should do one of the following:
updated list with env suggestion:
a.) rebuild your OpenSSL with OPENSSL_NO_RDRAND defined
b.) call ENGINE_unregister_RAND() on "rdrand" engine followed by
ENGINE_register_all_complete() to unregister rdrand as default
c.) set OPENSSL_ia32cap="~0x4000000000000000" in global environment
(this is poor fix)
d.) git pull latest openssl with commit: "Don't use rdrand engine as
default unless explicitly requested." - Dr. Stephen Henson
"what is affected??" - someone
sorry, i am not your distro maintainer. but the list includes,
potentially (depending on configure opts / runtime / etc):
RHEL 6.5, 7.0
Centos 6.5
Fedora 18,19,rawhide
Ubuntu 12.04, 12.10, 13.04, 13.10, trusty
Debian 7.0, jessie, sid
Gentoo stable&unstable
Knoppix 7.0.5, 7.2.0
Kali 1.0.5
Slackware 14, 14.1, current
... if ssh built with --with-ssl-engine. these all use OpenSSL 1.0.1+.
(remember both ssh client and server may use engines!)
and other libs, like:
M2Crypto
libpam-sshagent-auth
encfs
... which appear to use OpenSSL default engines.
but really, you should go check your shit.
best regards,
P.S. if anyone is aware of RDRAND engine backports to OpenSSL 1.0.0*
or 0.9.8* in any distros i'd like to know about it!
More information about the cypherpunks
mailing list