Re: ssl security desaster

To: debian-devel@lists.debian.org
Subject: Re: ssl security desaster
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 28 May 2008 00:00:47 +0100
Message-id: <[🔎] 20080527230047.GA9397@riva.ucam.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20080527154959.GA30226@albino>
References: <[🔎] 1210853087.16247.13.camel@localhost> <[🔎] 200805151520.12046.thijs@debian.org> <[🔎] 200805150915.57042.mgb-debian@yosemite.net> <[🔎] 20080526230904.GA21013@riva.ucam.org> <[🔎] 20080526233330.GB13752@kodama.kitenet.net> <[🔎] 87skw3c0x1.fsf@mid.deneb.enyo.de> <[🔎] 20080527135510.GA5317@albino> <[🔎] 871w3nby13.fsf@mid.deneb.enyo.de> <[🔎] 20080527154959.GA30226@albino>

On Tue, May 27, 2008 at 05:49:59PM +0200, Patrik Fimml wrote:
> On Tue, May 27, 2008 at 04:51:36PM +0200, Florian Weimer wrote:
> > > Well, I actually had false positives (on amd64) -- even freshly
> > > generated keys with the new libopenssl package were reported as bad,
> > > which irritated me a bit.
> > 
> > And you've already deleted those keys, right?  How convenient. 8-/
> 
> No, actually, /all/ keys I generated were allegedly weak -- this means, after
> executing ssh-keygen and dowkd.pl five times, I stuck to the key.

This rings all my alarm bells. In similar cases I've had reported to me,
it always turned out that e.g. somebody had upgraded openssl but not
libssl0.9.8, or something similar.

> (ssh-vulnkey thinks it is fine though.)

While I'm very confident in ssh-vulnkey's accuracy, note that
ssh-vulnkey has two different states you might interpret as "fine": "Not
blacklisted" (i.e. definitely fine) and "Unknown (no blacklist
information)" (i.e. no blacklist file installed for this key type and
size). In the most recent upload to unstable, I clarified the second
state to "Unknown (blacklist file not installed)" and added more
detailed documentation in the manual page.

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Re: ssl security desaster
  - From: Patrik Fimml <patrik@fimml.at>

References:
- ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Martin Uecker <muecker@gwdg.de>
- Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Thijs Kinkhorst <thijs@debian.org>
- Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Mike Bird <mgb-debian@yosemite.net>
- Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Colin Watson <cjwatson@debian.org>
- Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Joey Hess <joeyh@debian.org>
- Re: ssl security desaster
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: ssl security desaster
  - From: Patrik Fimml <patrik@fimml.at>
- Re: ssl security desaster
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: ssl security desaster
  - From: Patrik Fimml <patrik@fimml.at>

Prev by Date: Re: Availability of debian changelogs
Next by Date: Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
Previous by thread: Re: ssl security desaster
Next by thread: Re: ssl security desaster
Index(es):
- Date
- Thread