[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssl security desaster



* Patrik Fimml:

> On Tue, May 27, 2008 at 04:51:36PM +0200, Florian Weimer wrote:
>> > Well, I actually had false positives (on amd64) -- even freshly
>> > generated keys with the new libopenssl package were reported as bad,
>> > which irritated me a bit.
>> 
>> And you've already deleted those keys, right?  How convenient. 8-/
>
> No, actually, /all/ keys I generated were allegedly weak -- this
> means, after executing ssh-keygen and dowkd.pl five times, I stuck to
> the key. (ssh-vulnkey thinks it is fine though.)

Well, you can send me the key in private if you want.  Let's see if I
can factor it. 8-)

> The dowkd.pl linked in the DSA has seemingly changed, however. (IIRC,
> it wasn't gzipped nor generated a database before.)

Yes, there have been some updates (more extensive blacklists, OpenSSL
support, better UI).  The current version contains an embedded
changelog.  However, both database generation and gzipping were present
from the start.


Reply to: