OpenSSL 1.1.1k Is Released And You Should Upgrade If You are Using OpenSSL 1.1.1
The OpenSSL developers made one very unfortunate and very embarrassing mistake between version 1.1.1g and 1.1.1h that rendered the entire security OpenSSL is supposed to provide moot. The latest OpenSSL 1.1.1k security release fixes that and an equally serious security problem, present in all OpenSSL 1.1.1 versions, that could allow services that allow TLS 1.2 to be crashed with a evil renegotation ClientHello message. Upgrading is a great idea.
written by 권유리 (Kwon Yu-ri) 2021-03-25 - last edited 2021-03-29. © CC BY
Some random JavaScript code and a drawing of a beetle, none of which are even remotely related to this story.
The OpenSSL team issued a important security advisory on March 25th, 2021. In it, they admit that:
"The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default.
Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check.
An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates."
There is a slight up-side to this very embarrassing security-flaw: It will only affect applications that explicitly ask for additional security.
"In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose."
It is a bit ironic that it is only the applications that specifically ask the OpenSSL library for strict security with the X509_V_FLAG_X509_STRICT flag who, thanks to the now-exposed security flaw, get none.
Knowing if an application using OpenSSL, and that would be most of those interacting with the Internet, sets that flag or not is impossible without a deep-dive into the applications source code. It is, therefore, best to stay on the safe side and upgrade to the latest OpenSSL 1.1.1k release if you are using software that interacts with the Internet. The fact that you are reading this text now means that you probably are.
The ancient OpenSSL 1.0.x branch is not affected by the certificate validation flaw.
It Gets Worse[edit]
The same security advisory mentions another equally critical problem that affects all OpenSSL 1.1.1 versions prior to 1.1.1k: It is possible to potentially crash server services using OpenSSL by sending a carefully crafted renegotation ClientHello message. This flaw affects any piece of software using OpenSSL that has TLS v1.2 enabled. Most services offer TLS v1.2, even though it is a slightly outdated standard, because it is foolish to restrict a publicly available service to Firefox 63+, Android 10.0+, Edge 75+ and Safari 12.1 by requiring TLS v1.3.
The source code for OpenSSL 1.1.1k can be acquired from www.openssl.org/source/. GNU/Linux distributions will probably provide updated OpenSSL versions in short order since each of the security vulnerabilities disclosed today are a big deal on their own. System administrators should make sure that all system-services using the OpenSSL library are restarted if/when they upgarde to 1.1.1k, simply replacing the existing library with a newer version isn't enough to make running applications that already loaded it safe.
Enable comment auto-refresher