Re: Fault in openssl-blacklist - version 0.1 -- false negatives.

To: Dirk-Willem van Gulik <dirkx@webweaving.org>
Cc: debian-security@lists.debian.org
Subject: Re: Fault in openssl-blacklist - version 0.1 -- false negatives.
From: Dirk-Willem van Gulik <dirkx@webweaving.org>
Date: Fri, 16 May 2008 15:22:28 +0200
Message-id: <[🔎] 7B4877E7-A04D-49B2-934C-534E2A2C1950@webweaving.org>
In-reply-to: <[🔎] 750D25FB-7547-49DD-9682-39F3543D81F1@webweaving.org>
References: <[🔎] E263B77B-95C5-4E8F-B394-68BE4601F554@webweaving.org> <[🔎] 750D25FB-7547-49DD-9682-39F3543D81F1@webweaving.org>


On May 16, 2008, at 12:48 PM, Dirk-Willem van Gulik wrote:

Just FYI - there seems a minor fault in the openssl-blackist tool, Istrongly suspect

After discussing this with Jamie - two things - First note that aboveis NOT the caseprovided that you used [1] or more recent - and the therein included"debian/rules"

script has ran OK and without error.

You can verify this by checking that the head of the two blacklistsfiles looks like 2

and _not_ like 3 (perhaps this needs a nice checksum at some point).

Secondly - the lists are not entirely complete - so you may still getfalse

negatives -  Jamie lets know:

The blacklists are made for little-endian 32 bit, little endian 64 bit
and big endian 32 bit (don't have big endian 64 bit). Also, due totimeconstrainsts be32 is only half done. I plan on rolling out the full1024
and 2048 list today.

So that will be solved later today. So you may want to hold off anylabour

intensive scans.

Thanks,

Dw.

1 https://launchpad.net/ubuntu/hardy/+source/openssl-blacklist/0.1-0ubuntu0.8.04.2

2 head blacklist.ok

# After these initial comments, each line must consist of the lower-case key

# modulus checksum:

# openssl rsa -noout -modulus -in /tmp/key.pem | sha1sum | cut -d '' -f 1)# with the first 20 characters removed (that is, the lower 80 bits ofthe# fingerprint). Unless these rules are followed, the blacklist willnot work

# properly. See openssl-vulnkey(1).
00005890bc78bcbee3ca
0000d80c186767f2473a
0001260681906865947e
...

3 head blacklist.not-ok

# After these initial comments, each line must consist of the lower-case key

# modulus checksum:

# properly. See openssl-vulnkey(1).
0bdf7fd6b52a2f0157d45f6fba4d283cd951461d
f381feecee302f10ada59730abd94c4ca497be6d
98fc6e7d255fc6e21def70c2d3e3cd17131567d2
...

Reply to:

References:
- Fault in openssl-blacklist - version 0.1 -- false negatives.
  - From: Dirk-Willem van Gulik <dirkx@webweaving.org>
- Fault in openssl-blacklist - version 0.1 -- false negatives.
  - From: Dirk-Willem van Gulik <dirkx@webweaving.org>

Prev by Date: Re: SASL AUTH only check 8 first characters of the password
Next by Date: Re: SASL AUTH only check 8 first characters of the password
Previous by thread: Fault in openssl-blacklist - version 0.1 -- false negatives.
Next by thread: Minor improvement to openssl-blacklist
Index(es):
- Date
- Thread