Fault in openssl-blacklist - version 0.1 -- false negatives.
Just FYI - there seems a minor fault in the openssl-blackist tool[1],
I strongly suspect that the line:
#print "bits: %s\nmodulus: %s\nkey: %s\nkey80: %s" % (bits,
modulus, key, key[20:])
if key[20:] in db_lines:
needs to be
key = sha.sha(modulus).hexdigest()
#print "bits: %s\nmodulus: %s\nkey: %s\nkey80: %s" % (bits,
modulus, key, key[20:])
if key in db_lines:
for the tool to be functional. As it stands - it seems to give false
negatives -- lulling one in a potentially false sense of security.
Thanks,
Dw.
1: https://launchpad.net/ubuntu/hardy/+source/openssl-blacklist/0.1-0ubuntu0.8.04.2
Reply to: