Re: openssl-blacklist & two keys per one pid

To: Florian Weimer <fw@deneb.enyo.de>
Cc: Kees Cook <kees@ubuntu.com>, Jan Tomasek <jan@tomasek.cz>, Jamie Strandboge <jamie@ubuntu.com>, debian-security@lists.debian.org
Subject: Re: openssl-blacklist & two keys per one pid
From: Dirk-Willem van Gulik <dirkx@webweaving.org>
Date: Mon, 19 May 2008 14:45:36 +0200
Message-id: <[🔎] 451143B7-9F52-4826-88DE-9FC8E48E27B8@webweaving.org>
In-reply-to: <[🔎] 874p8u5vyx.fsf@mid.deneb.enyo.de>
References: <[🔎] 4830B725.7070104@tomasek.cz> <[🔎] 20080518233458.GF12850@outflux.net> <[🔎] 874p8u5vyx.fsf@mid.deneb.enyo.de>


On May 19, 2008, at 2:17 PM, Florian Weimer wrote:

The rule is simple. When the ~/.rnd file doesn't exist I get onekey and
in other situation I get another (that listed in Ubuntu
openssl-blacklist) key. Because of this problem openssl-blacklisthas tobe twice big than openssh-blacklist. I developed simple shellscripts togenerate list of all key lengths we are interested in. They areattached.
Yes, this was realized during the generation of the openssl-blacklist inUbuntu. We're expecting to have the more complete lists publishedsoon,
for all 3 architectures.
BTW, it appears that the same blacklist can be used for -3 and -F4keys.
(Just in case you haven't checked that already.)

One way to do this a bit more careful may be by comparing the actualdata itself. OpenSSL will output this with the modulus flag:


	openssl genrsa 1024 | openssl rsa -noout -modulus

So then you (know) you are comparing the actual thing.

Dw.

$ rm ~/.rnd ; ./openssl genrsa -3 1024 2>/dev/null | openssl rsa -noout -modulus$ rm ~/.rnd ; ./openssl genrsa -f4 1024 2>/dev/null | openssl rsa -noout -modulus

$ ./openssl genrsa -f4 1024 2>/dev/null  | openssl rsa -noout -modulus
$ ./openssl genrsa -3 1024 2>/dev/null  | openssl rsa -noout -modulus

Modulus=EE5750DD26F70AEAD7C40EA901B60231484D93F4E56A564D6E01BB55A64280DEB81D89F92ACB4876D1B4AFE4C5F8640AC45C2CD59168CA97B0F1565656B41B25D795F66E88FB8BDBC575CE8C12A9575B3B1CB5F3F4082B1848B1197B82786AF061CCDCDD419D23E342B1B77A510879B011E6F19D25754F5E30FAFC92AC79CA4D
Modulus=EE5750DD26F70AEAD7C40EA901B60231484D93F4E56A564D6E01BB55A64280DEB81D89F92ACB4876D1B4AFE4C5F8640AC45C2CD59168CA97B0F1565656B41B25D795F66E88FB8BDBC575CE8C12A9575B3B1CB5F3F4082B1848B1197B82786AF061CCDCDD419D23E342B1B77A510879B011E6F19D25754F5E30FAFC92AC79CA4D
Modulus=CBD028C5893EFBA1725BDFC4D5D9C3B2325E7569A27E0B5DF30785203D969FC1CA874C03FD151A2332BE54EE5DF6B3C2B55580AE68C6D998E0728B8749333322D48DE2AC43E4732AF67478F73BC66EDA8FDEC00E80C02E94D3457E4AFFBAF9CDAEF9B85BF504F774091D1D954FAD22584970CF0AC25D6A1CEA29A21E7BDCCCCF
Modulus=CBD028C5893EFBA1725BDFC4D5D9C3B2325E7569A27E0B5DF30785203D969FC1CA874C03FD151A2332BE54EE5DF6B3C2B55580AE68C6D998E0728B8749333322D48DE2AC43E4732AF67478F73BC66EDA8FDEC00E80C02E94D3457E4AFFBAF9CDAEF9B85BF504F774091D1D954FAD22584970CF0AC25D6A1CEA29A21E7BDCCCCF

Reply to:

Follow-Ups:
- Re: openssl-blacklist & two keys per one pid
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- openssl-blacklist & two keys per one pid
  - From: Jan Tomasek <jan@tomasek.cz>
- Re: openssl-blacklist & two keys per one pid
  - From: Kees Cook <kees@ubuntu.com>
- Re: openssl-blacklist & two keys per one pid
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: openssl-blacklist & two keys per one pid
Next by Date: Re: openssl-blacklist & two keys per one pid
Previous by thread: Re: openssl-blacklist & two keys per one pid
Next by thread: Re: openssl-blacklist & two keys per one pid
Index(es):
- Date
- Thread