Re: ssl security desaster
On Wed, May 28, 2008 at 12:00:47AM +0100, Colin Watson wrote:
> On Tue, May 27, 2008 at 05:49:59PM +0200, Patrik Fimml wrote:
> > No, actually, /all/ keys I generated were allegedly weak -- this means, after
> > executing ssh-keygen and dowkd.pl five times, I stuck to the key.
>
> This rings all my alarm bells. In similar cases I've had reported to me,
> it always turned out that e.g. somebody had upgraded openssl but not
> libssl0.9.8, or something similar.
Eek, that may indeed have been possible. :-(
> > (ssh-vulnkey thinks it is fine though.)
>
> While I'm very confident in ssh-vulnkey's accuracy, note that
> ssh-vulnkey has two different states you might interpret as "fine": "Not
> blacklisted" (i.e. definitely fine) and "Unknown (no blacklist
> information)" (i.e. no blacklist file installed for this key type and
> size). In the most recent upload to unstable, I clarified the second
> state to "Unknown (blacklist file not installed)" and added more
> detailed documentation in the manual page.
No, my current key is really fine.
It seems that I really only upgraded openssl when trying dowkd.pl, and
then upgraded everything before trying again. :-/ Sorry for the
confusion.
Patrik
PS: second eek - originally not sent to list accidentally.
Reply to: