1 |
Hi Peter, |
2 |
|
3 |
On Saturday, 17. May 2008, Peter Schneider-Kamp wrote: |
4 |
> the recently publicized SSL weak key generation for debian-based systems |
5 |
> (c.f. http://www.debian.org/security/key-rollover/) |
6 |
> has lead our university computing center to retract our |
7 |
> Gentoo-generated SSL keys based on an advisory from the German |
8 |
> DFN cert :-( |
9 |
|
10 |
I could not find where these advisories are published on their site, I |
11 |
guess they are not publicly distributed. |
12 |
|
13 |
|
14 |
> I have not found any information about whether this might also |
15 |
> affect Gentoo systems. A test with the Perl script from |
16 |
> http://security.debian.org/project/extra/dowkd/dowkd.pl.gz |
17 |
> does not show vulnerability: |
18 |
> ~ summary: keys found: 2, weak keys: 0 |
19 |
> |
20 |
> So I guess that Gentoo-generated keys are not affected. |
21 |
> Still it would be nice to have an official statement |
22 |
> to prevent official certification bodies from retracting |
23 |
> valid Gentoo-generated keys. |
24 |
|
25 |
The Gentoo Security Team internally reviewed patches to |
26 |
our "dev-libs/openssl" package right when we heard about the issue via a |
27 |
private channel. We could confirm that the patch is not included in our |
28 |
distribution. Furthermore, additional tests showed that there is no |
29 |
dependence only on PID when generating keys, and that some Gentoo produced |
30 |
keys are not included in the blacklist (which you also confirmed). |
31 |
|
32 |
We issued no formal statement*, because Debian was so clear about the scope |
33 |
of the vulnerability. To think that any distribution is affected, simply |
34 |
because they do not publicly state they are not, is a bad habit. Other |
35 |
CERTs usually contact us for vendor statements when they think we are |
36 |
affected by one vulnerability. |
37 |
|
38 |
The only thing compromising DSA keys generated on Gentoo is the usage of |
39 |
the private key on an affected Debian, but even that was covered in both |
40 |
the Debian and Ubuntu advisories. |
41 |
|
42 |
Regards, |
43 |
Robert // Gentoo Security |
44 |
|
45 |
|
46 |
* I would not consider my blog entry on http://planet.gentoo.org a |
47 |
formal statement. |