-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christoph Martin wrote: | Hi Michel, | | Michel Meyers schrieb: |> Package: openssl-blacklist |> Version: 0.3 |> Severity: normal |> |> Trying to use gen_certs.sh to build a 4096 key blacklist, I first |> decided to double check that it would indeed generate vulnerable keys. |> [...] |> |> As you can see, the second run generated different keys. |> |> Does gen_certs.sh only work when you put a vulnerable version of OpenSSL |> onto the system? | | If I understand the script correctly, this so. It should be called with | a vulnerable version of OpenSSL.
OK. In that case this isn't really a bug but me trying to use it wrongly due to that fact not being documented anywhere. A mention in the README.Debian or in the script itself would be nice. |> If yes, that should probably be mentioned somewhere as |> otherwise blacklists generated with it are useless. The code makes it |> look as if the script removed all randomness by cutting .rnd and using |> getpid, but as shown above, the resulting keys are still fairly random. |> (Or did I simply overlook something and am making a huge fool of myself |> here? That's always a possibility too. ;) ) | | We only have blacklists for 1024 and 2048 bit keys at the moment. So | openssl-vulnkey can only detect these compromised keys. I know, which is why I wanted to use gen_certs.sh to generate the vulnerable 4096 bit keys and compare them to the 4096 keys I have. Greetings, ~ Michel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) iEYEARECAAYFAkg9UQsACgkQ2Vs+MkscAyV+VACaAjquctRhpHJaVsVV/qqiwoON 0KEAnRP7TuN/zwLojxkv7x1X0jjwTPcc =6vno -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]