httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <c...@force-elite.com>
Subject Impact of OpenSSL Randomness issues on Debian
Date Tue, 13 May 2008 21:18:29 GMT
If you are just catching up:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0166
http://it.slashdot.org/article.pl?sid=08/05/13/1533212

Most of the talk has been about how SSH Servers and Client private keys 
are vulnerable.

However, Private x509 Keys generated by a vulnerable machine, and used 
by HTTPS are also guessable.

Debian and Ubuntu have made several tools to detect weak key signatures 
in OpenSSH and OpenVPN.

1) Shouldn't it be possible to write something that detects the weak 
private key fingerprint from the SSL handshake?

2) Should we remind users on announce@httpd or another medium, that any 
x509 keys generated on an debian or ubuntu server, such as those used 
for HTTPS, in the last 2 years, should be re-generated?

Thanks,

-Paul


Mime
View raw message