Bug#533365: marked as done (openssl: cannot remove short password from key)

Tue, 31 May 2016 00:09:57 -0700 

Your message dated Tue, 31 May 2016 09:06:11 +0200
with message-id <[email protected]>
and subject line Re: openssl: cannot remove short password from key
has caused the Debian Bug report #533365,
regarding openssl: cannot remove short password from key
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
533365: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=533365
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: openssl
Version: 0.9.8g-15+lenny1
Severity: important

I have got an RSA key which is encrypted (Proc-Type: 4,ENCRYPTED) using a 
password of only one character.
Unfortunately, OpenSSL is not able to remove the Password with the standard

openssl rsa -in my.key -out my.key.insecure

Error:

29913:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You 
must type in 4 to 8191 characters

A forced check like this is questionable, and in the case of not generating, 
but just *using* (e.g. decrypting) a password it is totally unacceptable.
OpenSSL renders my private key unusable.

Proposal for fixing this issue: remove password size/quality checks for 
decrypting operations.

-- System Information:
Debian Release: 5.0.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssl depends on:
ii  libc6                  2.7-18            GNU C Library: Shared libraries
ii  libssl0.9.8            0.9.8g-15+lenny1  SSL shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates               20080809   Common CA certificates

-- no debconf information

--- End Message ---
--- Begin Message --- 
Version: 1.1.0~pre5-1

This is fixed in experimental. The 1.0.2 branch which contains the fixed
has not yet been released.

Sebastian

--- End Message ---

Reply via email to