[VIM] PolarSSL / OpenSSL

security curmudgeon jericho at attrition.org
Tue Apr 19 15:58:31 CDT 2011

A recent vulnerability was reported in PolarSSL:

OSVDB 70945, Secunia 43595

Testing by some of the folks at my day job suggests that there really 
isn't a vulnerability here. Per the research types, "this attack can not 
work in the real world: while the server may accept a weak DH key, the 
client is supposed to validate the signature of the server's DH key, so a 
3rd party may not implement the attack described [in the advisory]."

Further, it was noted that the Nessus plugin (53360) fired on an OpenSSL 
installation. This lead them to poke around and found that OpenSSL, when 
compiled in FIPS mode, has this weakness. This information was also made 
public on the Nessus discussion forum 
(https://discussions.nessus.org/message/10302#10302). Interestingly 
enough, the non-FIPS DH implementation does not have the issue, as it 
validates the key it receives.

OSVDB has created 71845 to track the OpenSSL issue.

More information about the VIM mailing list