Re: ssl security desaster

To: debian-devel@lists.debian.org
Subject: Re: ssl security desaster
From: Patrik Fimml <patrik@fimml.at>
Date: Thu, 29 May 2008 11:52:53 +0200
Message-id: <[🔎] 20080529095253.GA3054@clark.edv>
In-reply-to: <[🔎] 20080527230047.GA9397@riva.ucam.org>
References: <[🔎] 1210853087.16247.13.camel@localhost> <[🔎] 200805151520.12046.thijs@debian.org> <[🔎] 200805150915.57042.mgb-debian@yosemite.net> <[🔎] 20080526230904.GA21013@riva.ucam.org> <[🔎] 20080526233330.GB13752@kodama.kitenet.net> <[🔎] 87skw3c0x1.fsf@mid.deneb.enyo.de> <[🔎] 20080527135510.GA5317@albino> <[🔎] 871w3nby13.fsf@mid.deneb.enyo.de> <[🔎] 20080527154959.GA30226@albino> <[🔎] 20080527230047.GA9397@riva.ucam.org>

On Wed, May 28, 2008 at 12:00:47AM +0100, Colin Watson wrote:
> On Tue, May 27, 2008 at 05:49:59PM +0200, Patrik Fimml wrote:
> > No, actually, /all/ keys I generated were allegedly weak -- this means, after
> > executing ssh-keygen and dowkd.pl five times, I stuck to the key.
> 
> This rings all my alarm bells. In similar cases I've had reported to me,
> it always turned out that e.g. somebody had upgraded openssl but not
> libssl0.9.8, or something similar.

Eek, that may indeed have been possible. :-(

> > (ssh-vulnkey thinks it is fine though.)
> 
> While I'm very confident in ssh-vulnkey's accuracy, note that
> ssh-vulnkey has two different states you might interpret as "fine": "Not
> blacklisted" (i.e. definitely fine) and "Unknown (no blacklist
> information)" (i.e. no blacklist file installed for this key type and
> size). In the most recent upload to unstable, I clarified the second
> state to "Unknown (blacklist file not installed)" and added more
> detailed documentation in the manual page.

No, my current key is really fine.

It seems that I really only upgraded openssl when trying dowkd.pl, and
then upgraded everything before trying again. :-/ Sorry for the
confusion.

Patrik

PS: second eek - originally not sent to list accidentally.

Reply to:

References:
- ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Martin Uecker <muecker@gwdg.de>
- Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Thijs Kinkhorst <thijs@debian.org>
- Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Mike Bird <mgb-debian@yosemite.net>
- Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Colin Watson <cjwatson@debian.org>
- Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Joey Hess <joeyh@debian.org>
- Re: ssl security desaster
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: ssl security desaster
  - From: Patrik Fimml <patrik@fimml.at>
- Re: ssl security desaster
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: ssl security desaster
  - From: Patrik Fimml <patrik@fimml.at>
- Re: ssl security desaster
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Re: funny outputs of ssh-vulnkey
Next by Date: Re: funny outputs of ssh-vulnkey
Previous by thread: Re: ssl security desaster
Next by thread: Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
Index(es):
- Date
- Thread