A high severity vulnerability was discovered in OpenSSL, as a result of which a patch was released on January 28 2016. The vulnerability exists in the cryptographic code library that lets the attacker decrypt the HTTPS communications.

Diffie-Hellman key exchange has been a common means of exchanging cryptographic keys over the untrusted channels which further helps the protocols like HTTPS to set up a secure communication. The applications that rely on the DH key exchange algorithm generate ephemeral keys using only “safe” prime numbers, but servers that do this, reuse the same primes by default, which makes them vulnerable to the key-recovery attack. OpenSSL has the SSL_OP_SINGLE_DH_USE option for ephemeral Diffie-Hellman in TLS. But the option was turned off by default that made the server reuse the same private exponent, making it vulnerable to an attack. Attackers could exploit this flaw by potentially making multiple connections with a vulnerable server and searching for TLS server’s private Diffie-Hellman key if the server was re-using the private key or using a static Diffie-Hellman cipher suite.

If you are using OpenSSL version 1.0.2, its time to update to OpenSSL 1.0.2f. While those still using OpenSSL version 1.0.1 should install version 1.0.1r. Among other recommendations, Thursday’s OpenSSL advisory also warns that the patch may compromise performance, along with reminding users that support for OpenSSL version 1.0.1 will end at the end of this year, after which no security updates will be available.