- Issued:
- 2014-10-13
- Updated:
- 2014-10-13
RHBA-2014:1525 - Bug Fix Advisory
Synopsis
openssl bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Topic
Updated openssl packages that fix several bugs and add various enhancements are
now available for Red Hat Enterprise Linux 6.
Description
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL), Transport
Layer Security (TLS), and Datagram Transport Layer Security (DTLS) protocols, as
well as a full-strength, general purpose cryptography library.
This update fixes the following bugs:
- Previously, cipher suites based on the single-DES and RC2 algorithms were on
the default list of cipher suites used by the SSL or TLS client and by the
server in the OpenSSL library. This allowed for suboptimal cipher suites to be
negotiated between the OpenSSL client or server and a third party client or
server. In addition, a higher amount of supported cipher suites in the TLS
ClientHello request impaired the inter-operability of the OpenSSL TLS client.
This update removes single-DES-based and RC2-based cipher suites from the
default list of cipher suites, improving the security and compatibility of the
OpenSSL TLS client. (BZ#1057520) - Cipher suites based on the Triple DES (3DES) algorithm had their bit strengths
erroneously set to 168 bits when running under the SSL or TLS protocols. As a
consequence, they were incorrectly sorted before cipher suites based on the
AES-128 algorithm. This update sets the bit strength of 3DES-based cipher suites
to 128 bits, and they will now be sorted after AES-128-based cipher suites as
expected. (BZ#1056608) - In TLS client applications that use the SSLv2 protocol, the TLS extension
giving the list of supported Elliptic Curve Cryptography (ECC)-based cipher
suites could not be sent. This caused a TLS connection to a server which used an
ECC-based cipher suite not supported by the OpenSSL client to abort. With this
update, the ECC-based cipher suites are not sent in the SSLv2 ClientHello
request, and TLS connections are no longer aborted in the above circumstances.
(BZ#1090952) - The TLS extensions that were sent in the Datagram TLS (DTLS) ClientHello
requests did not previously contain the list of the supported ECC-based cipher
suites. As a consequence, the DTLS connections to servers using ECC cipher
suites not supported by the OpenSSL client were aborted. With this update, the
ECC-based cipher suite list is properly sent in the DTLS ClientHello requests,
and DTLS connections are no longer aborted in the above circumstances.
(BZ#1119800)
In addition, this update adds the following enhancements:
- The openssl packages have been enhanced to allow for FIPS-140-2 validation of
the OpenSSL library as a FIPS cryptographic module. (BZ#1002926, BZ#1039105,
BZ#1002930, BZ#1015056) - When connecting to a server using ECDHE-based or DHE-based cipher suites, the
s_client utility now reports the size of ECDHE and DHE parameters selected by
the server. This allows for easy verification whether the used configuration set
is secure. (BZ#1057715)
Users of openssl are advised to upgrade to these updated packages, which fix
these bugs and add these enhancements. For the update to take effect, all
services linked to the OpenSSL library must be restarted, or the system
rebooted.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
Affected Products
- Red Hat Enterprise Linux Server 6 x86_64
- Red Hat Enterprise Linux Server 6 i386
- Red Hat Enterprise Linux Workstation 6 x86_64
- Red Hat Enterprise Linux Workstation 6 i386
- Red Hat Enterprise Linux Desktop 6 x86_64
- Red Hat Enterprise Linux Desktop 6 i386
- Red Hat Enterprise Linux for IBM z Systems 6 s390x
- Red Hat Enterprise Linux for Power, big endian 6 ppc64
- Red Hat Enterprise Linux for Scientific Computing 6 x86_64
- Red Hat Enterprise Linux Server from RHUI 6 x86_64
- Red Hat Enterprise Linux Server from RHUI 6 i386
Fixes
- BZ - 1015056 - openssl speed reports errors during execution in fips mode
- BZ - 1039105 - Disable RSA and DSA key generation for keys <2048 bits in the FIPS mode
- BZ - 1057715 - s_client utility doesn't report the size of used DHE and ECDHE parameters selected by server
- BZ - 1065328 - openssl reports generation of 2048 bit key while it generates 1024 bit key [rhel-6]
- BZ - 1090952 - Do not send ECC ciphersuites in SSLv2 client hello
- BZ - 1100819 - BIO_f_cipher does not test for EVP_CipherUpdate failures
- BZ - 1105567 - Properly detect HMAC integrity check failure if the .hmac file is empty [rhel-6]
- BZ - 1106407 - Fix for CVE-2014-0224 breaks EAP-FAST/wpa_supplicant TLS session resumption.
- BZ - 1119800 - ECC supported curves list extension is missing in DTLS1 client hello
CVEs
(none)
References
(none)
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Enterprise Linux Server 6
| SRPM | |
|---|---|
| openssl-1.0.1e-30.el6.src.rpm | SHA-256: 8dc857920a0f9380ff02e01c06fb5457fcf172d0fd1e2297abdc3ead16af7652 |
| x86_64 | |
| openssl-1.0.1e-30.el6.i686.rpm | SHA-256: 6e3f6a73d2af927c5a869a15bfd02734eafcb971a71acc3f9bdd420034c9d53b |
| openssl-1.0.1e-30.el6.x86_64.rpm | SHA-256: 5ee3e303db013b89512557cb975ee52c4089acbf2e4377bdad7b0d34a2722e83 |
| openssl-debuginfo-1.0.1e-30.el6.i686.rpm | SHA-256: ad14e9391129afd6e0b894a3ccb086f51507925cccf5692b7cb6a7c18350fdfa |
| openssl-debuginfo-1.0.1e-30.el6.x86_64.rpm | SHA-256: 60db7353536f81b6b6b1874917817d333759376860fc2d38bfdefe4a29607654 |
| openssl-debuginfo-1.0.1e-30.el6.x86_64.rpm | SHA-256: 60db7353536f81b6b6b1874917817d333759376860fc2d38bfdefe4a29607654 |
| openssl-devel-1.0.1e-30.el6.i686.rpm | SHA-256: cb4ec23632b7eb288736727f7456e962a5070e638c7a068581123cb70303d4ad |
| openssl-devel-1.0.1e-30.el6.x86_64.rpm | SHA-256: 442096f115eb7e554e67a4fc5a7e522322110f0cc8d5fa39dd49e955fc79610b |
| openssl-perl-1.0.1e-30.el6.x86_64.rpm | SHA-256: 82eddad222a6e444aaf5013b980071e901c75e704b161e90ebf8e8317ac9b09e |
| openssl-static-1.0.1e-30.el6.x86_64.rpm | SHA-256: af13bce4e4b9b54dc231f859a55d74e5ff0aa2a9cf3f90e2b4988605c147bbe3 |
| i386 | |
| openssl-1.0.1e-30.el6.i686.rpm | SHA-256: 6e3f6a73d2af927c5a869a15bfd02734eafcb971a71acc3f9bdd420034c9d53b |
| openssl-debuginfo-1.0.1e-30.el6.i686.rpm | SHA-256: ad14e9391129afd6e0b894a3ccb086f51507925cccf5692b7cb6a7c18350fdfa |
| openssl-debuginfo-1.0.1e-30.el6.i686.rpm | SHA-256: ad14e9391129afd6e0b894a3ccb086f51507925cccf5692b7cb6a7c18350fdfa |
| openssl-devel-1.0.1e-30.el6.i686.rpm | SHA-256: cb4ec23632b7eb288736727f7456e962a5070e638c7a068581123cb70303d4ad |
| openssl-perl-1.0.1e-30.el6.i686.rpm | SHA-256: 8de2c44303b0b9cd0621fa213b35271cbae071aa401e22ec2056aad2c9a7f79f |
| openssl-static-1.0.1e-30.el6.i686.rpm | SHA-256: 703a93810562779768cc8f114329e244b748126aa226e85a793bfc5f853372c4 |
Red Hat Enterprise Linux Workstation 6
| SRPM | |
|---|---|
| openssl-1.0.1e-30.el6.src.rpm | SHA-256: 8dc857920a0f9380ff02e01c06fb5457fcf172d0fd1e2297abdc3ead16af7652 |
| x86_64 | |
| openssl-1.0.1e-30.el6.i686.rpm | SHA-256: 6e3f6a73d2af927c5a869a15bfd02734eafcb971a71acc3f9bdd420034c9d53b |
| openssl-1.0.1e-30.el6.x86_64.rpm | SHA-256: 5ee3e303db013b89512557cb975ee52c4089acbf2e4377bdad7b0d34a2722e83 |
| openssl-debuginfo-1.0.1e-30.el6.i686.rpm | SHA-256: ad14e9391129afd6e0b894a3ccb086f51507925cccf5692b7cb6a7c18350fdfa |
| openssl-debuginfo-1.0.1e-30.el6.x86_64.rpm | SHA-256: 60db7353536f81b6b6b1874917817d333759376860fc2d38bfdefe4a29607654 |
| openssl-debuginfo-1.0.1e-30.el6.x86_64.rpm | SHA-256: 60db7353536f81b6b6b1874917817d333759376860fc2d38bfdefe4a29607654 |
| openssl-devel-1.0.1e-30.el6.i686.rpm | SHA-256: cb4ec23632b7eb288736727f7456e962a5070e638c7a068581123cb70303d4ad |
| openssl-devel-1.0.1e-30.el6.x86_64.rpm | SHA-256: 442096f115eb7e554e67a4fc5a7e522322110f0cc8d5fa39dd49e955fc79610b |
| openssl-perl-1.0.1e-30.el6.x86_64.rpm | SHA-256: 82eddad222a6e444aaf5013b980071e901c75e704b161e90ebf8e8317ac9b09e |
| openssl-static-1.0.1e-30.el6.x86_64.rpm | SHA-256: af13bce4e4b9b54dc231f859a55d74e5ff0aa2a9cf3f90e2b4988605c147bbe3 |
| i386 | |
| openssl-1.0.1e-30.el6.i686.rpm | SHA-256: 6e3f6a73d2af927c5a869a15bfd02734eafcb971a71acc3f9bdd420034c9d53b |
| openssl-debuginfo-1.0.1e-30.el6.i686.rpm | SHA-256: ad14e9391129afd6e0b894a3ccb086f51507925cccf5692b7cb6a7c18350fdfa |
| openssl-debuginfo-1.0.1e-30.el6.i686.rpm | SHA-256: ad14e9391129afd6e0b894a3ccb086f51507925cccf5692b7cb6a7c18350fdfa |
| openssl-devel-1.0.1e-30.el6.i686.rpm | SHA-256: cb4ec23632b7eb288736727f7456e962a5070e638c7a068581123cb70303d4ad |
| openssl-perl-1.0.1e-30.el6.i686.rpm | SHA-256: 8de2c44303b0b9cd0621fa213b35271cbae071aa401e22ec2056aad2c9a7f79f |
| openssl-static-1.0.1e-30.el6.i686.rpm | SHA-256: 703a93810562779768cc8f114329e244b748126aa226e85a793bfc5f853372c4 |
Red Hat Enterprise Linux Desktop 6
| SRPM | |
|---|---|
| openssl-1.0.1e-30.el6.src.rpm | SHA-256: 8dc857920a0f9380ff02e01c06fb5457fcf172d0fd1e2297abdc3ead16af7652 |
| x86_64 | |
| openssl-1.0.1e-30.el6.i686.rpm | SHA-256: 6e3f6a73d2af927c5a869a15bfd02734eafcb971a71acc3f9bdd420034c9d53b |
| openssl-1.0.1e-30.el6.x86_64.rpm | SHA-256: 5ee3e303db013b89512557cb975ee52c4089acbf2e4377bdad7b0d34a2722e83 |
| openssl-debuginfo-1.0.1e-30.el6.i686.rpm | SHA-256: ad14e9391129afd6e0b894a3ccb086f51507925cccf5692b7cb6a7c18350fdfa |
| openssl-debuginfo-1.0.1e-30.el6.i686.rpm | SHA-256: ad14e9391129afd6e0b894a3ccb086f51507925cccf5692b7cb6a7c18350fdfa |
| openssl-debuginfo-1.0.1e-30.el6.x86_64.rpm | SHA-256: 60db7353536f81b6b6b1874917817d333759376860fc2d38bfdefe4a29607654 |
| openssl-debuginfo-1.0.1e-30.el6.x86_64.rpm | SHA-256: 60db7353536f81b6b6b1874917817d333759376860fc2d38bfdefe4a29607654 |
| openssl-devel-1.0.1e-30.el6.i686.rpm | SHA-256: cb4ec23632b7eb288736727f7456e962a5070e638c7a068581123cb70303d4ad |
| openssl-devel-1.0.1e-30.el6.x86_64.rpm | SHA-256: 442096f115eb7e554e67a4fc5a7e522322110f0cc8d5fa39dd49e955fc79610b |
| openssl-perl-1.0.1e-30.el6.x86_64.rpm | SHA-256: 82eddad222a6e444aaf5013b980071e901c75e704b161e90ebf8e8317ac9b09e |
| openssl-static-1.0.1e-30.el6.x86_64.rpm | SHA-256: af13bce4e4b9b54dc231f859a55d74e5ff0aa2a9cf3f90e2b4988605c147bbe3 |
| i386 | |
| openssl-1.0.1e-30.el6.i686.rpm | SHA-256: 6e3f6a73d2af927c5a869a15bfd02734eafcb971a71acc3f9bdd420034c9d53b |
| openssl-debuginfo-1.0.1e-30.el6.i686.rpm | SHA-256: ad14e9391129afd6e0b894a3ccb086f51507925cccf5692b7cb6a7c18350fdfa |
| openssl-debuginfo-1.0.1e-30.el6.i686.rpm | SHA-256: ad14e9391129afd6e0b894a3ccb086f51507925cccf5692b7cb6a7c18350fdfa |
| openssl-devel-1.0.1e-30.el6.i686.rpm | SHA-256: cb4ec23632b7eb288736727f7456e962a5070e638c7a068581123cb70303d4ad |
| openssl-perl-1.0.1e-30.el6.i686.rpm | SHA-256: 8de2c44303b0b9cd0621fa213b35271cbae071aa401e22ec2056aad2c9a7f79f |
| openssl-static-1.0.1e-30.el6.i686.rpm | SHA-256: 703a93810562779768cc8f114329e244b748126aa226e85a793bfc5f853372c4 |
Red Hat Enterprise Linux for IBM z Systems 6
| SRPM | |
|---|---|
| openssl-1.0.1e-30.el6.src.rpm | SHA-256: 8dc857920a0f9380ff02e01c06fb5457fcf172d0fd1e2297abdc3ead16af7652 |
| s390x | |
| openssl-1.0.1e-30.el6.s390.rpm | SHA-256: 698beacc1c8d731eb76261d1cdd065212b4e6e9c142a54688108e35d3b437c8d |
| openssl-1.0.1e-30.el6.s390x.rpm | SHA-256: 209ca2cec506e47531cfb577e097916f46cbc355b0ea13fb25eff0af6b44cd66 |
| openssl-debuginfo-1.0.1e-30.el6.s390.rpm | SHA-256: 2a08dfcb2ec6dfa08f5bf9082133f002919211f4d602e694d26aa6fb86f91d96 |
| openssl-debuginfo-1.0.1e-30.el6.s390x.rpm | SHA-256: 33edf7554d034d293f7a0f0dde95de46b6dfceda21366bb0b0cad141c6c3d0b5 |
| openssl-debuginfo-1.0.1e-30.el6.s390x.rpm | SHA-256: 33edf7554d034d293f7a0f0dde95de46b6dfceda21366bb0b0cad141c6c3d0b5 |
| openssl-devel-1.0.1e-30.el6.s390.rpm | SHA-256: db01edbe7d9f0d1d03564271556094e67e280fc4d4b7778038e54f3b8202eaff |
| openssl-devel-1.0.1e-30.el6.s390x.rpm | SHA-256: 91b3a02407e703372545ba2bbe497ee5a2723e3beb7caea331e713b1021d6001 |
| openssl-perl-1.0.1e-30.el6.s390x.rpm | SHA-256: 86c81ac36dfe0f2195cb9e61d03181b59e7e7bde3842e677407ff84352f6f20f |
| openssl-static-1.0.1e-30.el6.s390x.rpm | SHA-256: 4ab677ffdbadc0e5031b43002e7bd25c441bc21b68e8179d5bc5484213af56ae |
Red Hat Enterprise Linux for Power, big endian 6
| SRPM | |
|---|---|
| openssl-1.0.1e-30.el6.src.rpm | SHA-256: 8dc857920a0f9380ff02e01c06fb5457fcf172d0fd1e2297abdc3ead16af7652 |
| ppc64 | |
| openssl-1.0.1e-30.el6.ppc.rpm | SHA-256: ab87d4f542d00ee52e266f3592e01a7c15473a34481ca8147b96daa38c3f3af6 |
| openssl-1.0.1e-30.el6.ppc64.rpm | SHA-256: 3585126c5f81283eba9efa24d2a220ae300f6cf3d12b2c9a3cf8cdd91a4fa7c5 |
| openssl-debuginfo-1.0.1e-30.el6.ppc.rpm | SHA-256: ada12657d54fba5c27e984d1cc5253036d7d10001b288bd240e277cca06b694e |
| openssl-debuginfo-1.0.1e-30.el6.ppc64.rpm | SHA-256: acc8d7d634e42951dc05020173d0b6ad88b5d80658f0b8ed1207c76aa3334b85 |
| openssl-debuginfo-1.0.1e-30.el6.ppc64.rpm | SHA-256: acc8d7d634e42951dc05020173d0b6ad88b5d80658f0b8ed1207c76aa3334b85 |
| openssl-devel-1.0.1e-30.el6.ppc.rpm | SHA-256: 1c0f8a6a850fd98732ba2a72df405e1078d8ce6e7583fa46f934429438c2e067 |
| openssl-devel-1.0.1e-30.el6.ppc64.rpm | SHA-256: b52e41da1f11c6106af560135b2fdae3fd8eea2eb669f04a3981649de5d3d0e5 |
| openssl-perl-1.0.1e-30.el6.ppc64.rpm | SHA-256: 89c4b7ca1cf6d5987f3526565e24b2dc92a0d3f8358780540aaaade0ad3f901d |
| openssl-static-1.0.1e-30.el6.ppc64.rpm | SHA-256: e99a9293ed2a0d61348d52fedfe2b74b2cd0b8521c82077f5be3fed4269c1bf6 |
Red Hat Enterprise Linux for Scientific Computing 6
| SRPM | |
|---|---|
| openssl-1.0.1e-30.el6.src.rpm | SHA-256: 8dc857920a0f9380ff02e01c06fb5457fcf172d0fd1e2297abdc3ead16af7652 |
| x86_64 | |
| openssl-1.0.1e-30.el6.i686.rpm | SHA-256: 6e3f6a73d2af927c5a869a15bfd02734eafcb971a71acc3f9bdd420034c9d53b |
| openssl-1.0.1e-30.el6.x86_64.rpm | SHA-256: 5ee3e303db013b89512557cb975ee52c4089acbf2e4377bdad7b0d34a2722e83 |
| openssl-debuginfo-1.0.1e-30.el6.i686.rpm | SHA-256: ad14e9391129afd6e0b894a3ccb086f51507925cccf5692b7cb6a7c18350fdfa |
| openssl-debuginfo-1.0.1e-30.el6.i686.rpm | SHA-256: ad14e9391129afd6e0b894a3ccb086f51507925cccf5692b7cb6a7c18350fdfa |
| openssl-debuginfo-1.0.1e-30.el6.x86_64.rpm | SHA-256: 60db7353536f81b6b6b1874917817d333759376860fc2d38bfdefe4a29607654 |
| openssl-debuginfo-1.0.1e-30.el6.x86_64.rpm | SHA-256: 60db7353536f81b6b6b1874917817d333759376860fc2d38bfdefe4a29607654 |
| openssl-devel-1.0.1e-30.el6.i686.rpm | SHA-256: cb4ec23632b7eb288736727f7456e962a5070e638c7a068581123cb70303d4ad |
| openssl-devel-1.0.1e-30.el6.x86_64.rpm | SHA-256: 442096f115eb7e554e67a4fc5a7e522322110f0cc8d5fa39dd49e955fc79610b |
| openssl-perl-1.0.1e-30.el6.x86_64.rpm | SHA-256: 82eddad222a6e444aaf5013b980071e901c75e704b161e90ebf8e8317ac9b09e |
| openssl-static-1.0.1e-30.el6.x86_64.rpm | SHA-256: af13bce4e4b9b54dc231f859a55d74e5ff0aa2a9cf3f90e2b4988605c147bbe3 |
Red Hat Enterprise Linux Server from RHUI 6
| SRPM | |
|---|---|
| openssl-1.0.1e-30.el6.src.rpm | SHA-256: 8dc857920a0f9380ff02e01c06fb5457fcf172d0fd1e2297abdc3ead16af7652 |
| x86_64 | |
| openssl-1.0.1e-30.el6.i686.rpm | SHA-256: 6e3f6a73d2af927c5a869a15bfd02734eafcb971a71acc3f9bdd420034c9d53b |
| openssl-1.0.1e-30.el6.x86_64.rpm | SHA-256: 5ee3e303db013b89512557cb975ee52c4089acbf2e4377bdad7b0d34a2722e83 |
| openssl-debuginfo-1.0.1e-30.el6.i686.rpm | SHA-256: ad14e9391129afd6e0b894a3ccb086f51507925cccf5692b7cb6a7c18350fdfa |
| openssl-debuginfo-1.0.1e-30.el6.x86_64.rpm | SHA-256: 60db7353536f81b6b6b1874917817d333759376860fc2d38bfdefe4a29607654 |
| openssl-debuginfo-1.0.1e-30.el6.x86_64.rpm | SHA-256: 60db7353536f81b6b6b1874917817d333759376860fc2d38bfdefe4a29607654 |
| openssl-devel-1.0.1e-30.el6.i686.rpm | SHA-256: cb4ec23632b7eb288736727f7456e962a5070e638c7a068581123cb70303d4ad |
| openssl-devel-1.0.1e-30.el6.x86_64.rpm | SHA-256: 442096f115eb7e554e67a4fc5a7e522322110f0cc8d5fa39dd49e955fc79610b |
| openssl-perl-1.0.1e-30.el6.x86_64.rpm | SHA-256: 82eddad222a6e444aaf5013b980071e901c75e704b161e90ebf8e8317ac9b09e |
| openssl-static-1.0.1e-30.el6.x86_64.rpm | SHA-256: af13bce4e4b9b54dc231f859a55d74e5ff0aa2a9cf3f90e2b4988605c147bbe3 |
| i386 | |
| openssl-1.0.1e-30.el6.i686.rpm | SHA-256: 6e3f6a73d2af927c5a869a15bfd02734eafcb971a71acc3f9bdd420034c9d53b |
| openssl-debuginfo-1.0.1e-30.el6.i686.rpm | SHA-256: ad14e9391129afd6e0b894a3ccb086f51507925cccf5692b7cb6a7c18350fdfa |
| openssl-debuginfo-1.0.1e-30.el6.i686.rpm | SHA-256: ad14e9391129afd6e0b894a3ccb086f51507925cccf5692b7cb6a7c18350fdfa |
| openssl-devel-1.0.1e-30.el6.i686.rpm | SHA-256: cb4ec23632b7eb288736727f7456e962a5070e638c7a068581123cb70303d4ad |
| openssl-perl-1.0.1e-30.el6.i686.rpm | SHA-256: 8de2c44303b0b9cd0621fa213b35271cbae071aa401e22ec2056aad2c9a7f79f |
| openssl-static-1.0.1e-30.el6.i686.rpm | SHA-256: 703a93810562779768cc8f114329e244b748126aa226e85a793bfc5f853372c4 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.