SUSE Support

Here When You Need Us

OpenSSL versions that only allow ephemeral RSA keys in export ciphersuites (FREAK) (VUL-0: CVE-2015-0204)

This document (7016252) is provided subject to the disclaimer at the end of this document.

Environment


SUSE Linux Enterprise Server 10 Service Pack 4 (SLES 10 SP4)
SUSE Linux Enterprise Server 10 Service Pack 3 (SLES 10 SP3)
SUSE Linux Enterprise Server 10 Service Pack 2 (SLES 10 SP2)
SUSE Linux Enterprise Server 10 Service Pack 1 (SLES 10 SP1)
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
SUSE Linux Enterprise Server 11 Service Pack 2 (SLES 11 SP2)
SUSE Linux Enterprise Server 11 Service Pack 1 (SLES 11 SP1)
SUSE Linux Enterprise Server 12
Expanded Support 6 (RES 6)
Expanded Support 7 (RES 7)

Situation

On Tuesday, March 3, 2015, researchers disclosed a new SSL/TLS vulnerability — the FREAK attack.
The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted or altered
Some SSL clients, including OpenSSL, will accept weak RSA keys–known as export-grade keys–without asking for those keys.
Export-grade refers to 512-bit RSA keys, the key strength that was approved by the United States government for export overseas.

Websites for this issue and further details can be found here and here

Resolution

SUSE has released a maintenance update for OpenSSL already end of January 2015.

This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k
OpenSSL 1.0.0 users should upgrade to 1.0.0p
OpenSSL 0.9.8 users should upgrade to 0.9.8zd

*Please note that the SUSE released versions do not necessarily match the upstream community released versions.

For Expanded Support (RES) the following OpenSSL versions have the fix included already:
RHEL7: openssl-1.0.1e-34.el7_0.7
RHEL6: openssl-1.0.1e-30.el6_6.5
Please note that another OpenSSL update will be available soon for RHEL7.

It is also required to check if any of the following services are still offering EXPORT ciphers and if that is the case, remove them via the OpenSSL Command-Line tool:

For HTTPS services (webservices):
    openssl s_client -connect example.com:443 -cipher EXPORT

For SMTP servers with SSL:
    openssl s_client -connect example.com:smtp -starttls smtp -cipher EXPORT

For IMAP server with SSL:
    openssl s_client -connect example.com:imaps -cipher EXPORT

For POP3 server with SSL:
    openssl s_client -connect example.com:pop3s -cipher EXPORT

Cause

An OpenSSL client will accept the use of an RSA temporary key in a non-export
RSA key exchange ciphersuite. A server could present a weak temporary key
and downgrade the security of the session.

Additional Information

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7016252
  • Creation Date: 04-Mar-2015
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.