Return-Path: 
 <dev-return-61293-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 35531 invoked from network); 13 May 2008 21:19:09 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 13 May 2008 21:19:09 -0000
Received: (qmail 29267 invoked by uid 500); 13 May 2008 21:19:07 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 29199 invoked by uid 500); 13 May 2008 21:19:07 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 29188 invoked by uid 99); 13 May 2008 21:19:07 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 May 2008 14:19:07 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of chip@force-elite.com designates
 72.232.80.58 as permitted sender)
Received: from [72.232.80.58] (HELO constant.northnitch.com) (72.232.80.58)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 May 2008 21:18:10 +0000
Received: from Tornado.local (c-67-164-104-143.hsd1.ca.comcast.net
 [67.164.104.143])
	by constant.northnitch.com (Postfix) with ESMTP id B2C8A8406
	for <dev@httpd.apache.org>; Tue, 13 May 2008 16:18:29 -0500 (CDT)
Message-ID: <482A05A5.6050804@force-elite.com>
Date: Tue, 13 May 2008 14:18:29 -0700
From: Paul Querna <chip@force-elite.com>
User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421)
MIME-Version: 1.0
To: dev@httpd.apache.org
Subject: Impact of OpenSSL Randomness issues on Debian
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

If you are just catching up:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0166
http://it.slashdot.org/article.pl?sid=08/05/13/1533212

Most of the talk has been about how SSH Servers and Client private keys 
are vulnerable.

However, Private x509 Keys generated by a vulnerable machine, and used 
by HTTPS are also guessable.

Debian and Ubuntu have made several tools to detect weak key signatures 
in OpenSSH and OpenVPN.

1) Shouldn't it be possible to write something that detects the weak 
private key fingerprint from the SSL handshake?

2) Should we remind users on announce@httpd or another medium, that any 
x509 keys generated on an debian or ubuntu server, such as those used 
for HTTPS, in the last 2 years, should be re-generated?

Thanks,

-Paul