Hi, Given that not so long ago there was extensive discussion on this list about certificates affected by the 2008 Debian OpenSSL bug [1] and there seem to be related discussions in the CA/Browser Forum [2] I wanted to share something:
It seems it is widely believed that the Debian OpenSSL bug does not affect ECDSA / elliptic curve keys [3]. However that is not true. The affected Debian versions used OpenSSL 0.9.8, which had support for EC keys. The source of this confusion seems to be a footnote in a paper published shortly after that bug [4] ("but the version of OpenSSL deployed on Debian-derived distributions ships without any elliptic curve support"). That is wrong. There's of course the question whether this matters. I did some checks with certificate collections and I found no such keys used in the wild. This is also maybe not surprising: In 2008 elliptic curve support in TLS was still quite uncommon and considered unusual. In any case: If you feel like blocking those keys is important, I have created the different relevant variations for the typical curves p256 and p385 and shared them here (together with all the relevant RSA/DSA variations of vulnerable keys): https://github.com/badkeys/debianopenssl I should note that sometimes this old openssl version seems to generate broken keys that are not usable. I have not investigated this any further. My own tool badkeys will detect such keys: https://badkeys.info/ https://github.com/badkeys/badkeys If you want to verify this you may find this script helpful: https://github.com/badkeys/debianssltools/blob/main/fetchdwkbin It fetches the archived debian openssl packages and the necessary libraries from the dependencies so you can run them with LD_PRELOAD on a modern system. [1] https://groups.google.com/g/mozilla.dev.security.policy/c/2uuXLPwGoSA/m/bqUDTXPSAgAJ [2] https://archive.cabforum.org/pipermail/servercert-wg/2022-July/003260.html [3] https://community.letsencrypt.org/t/is-it-possible-to-make-ecdsa-keys-with-insecure-debian-openssl/133847 [4] https://hovav.net/ucsd/dist/debiankey.pdf -- Hanno Böck https://hboeck.de/ -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220708112853.51605585%40computer.