httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Debian gaffe (DSA-1571-1, CVE-2008-016)
Date Fri, 16 May 2008 20:11:43 GMT
The debian gaffe also affects any 'req's or self-signed certs created  
on the affected platform.

Unfortunately the blacklists generated by folks are not quite complete  
(yet) -- which took me a while to get confirmed and checked for. As a  
result of that process - and for your entertainment:

1) Full Moduli for affected keys on Little Endian 32 bit linux with  
GCC 4 - defaults:

2) Utility to point at a site to check (for just the above, false  
positives galore!): <fqdn>

As the simplified tables are still in the coming form the debian  
community - and it is always good to cross check:

-	if you run linux (any recent version)

-	and if you have a big endian machine

-	or a 64 bit machine

-	or if you happen to have a strange LE32bit machine.

And a few hours of CPU time on a modern machine.... then could you do  
me a favour and fetch:


and run a few keys for me ?

The above shell script fetches openssl, compiles a specific variation  
an then (re)creates the 32k possible rsa keys, bcreating a file  
containing the Moduli (which can then can be cross checked against the  
output of openssl's its -modulus flag - when feed the cert of a random  

For those on Little Endian, 32 bit machines - just the first 10 - 50  
would be great - unless they differ from the included sample.txt - in  
which case I'd be very interested.

As I'd love to a) confirm that the next release of the debian tools is  
complete -and- b) I'd like to put to rest concerns I have that the  
keyspace is actually larger than expected due to gcc or other  



View raw message