> The source of this confusion seems to be a footnote in a paper published
> shortly after that bug [4] ("but the version of OpenSSL deployed on
> Debian-derived distributions ships without any elliptic curve support"). That
> is wrong.
Hi Hanno. I agree that the OpenSSL 0.9.8 branch contained ECDSA code, but it
was possible for distro maintainers to easily disable this during the build
process. I know that Red Hat did this due to ECC patent concerns, and I've
always assumed that Debian did too.
Have you looked into whether or not Debian's 2008 OpenSSL build process started
with something like this...
> ./config -no-ec -no-ecdh -no-ecdsa
Operating system: x86_64-whatever-linux2
Configuring for linux-x86_64
Configuring for linux-x86_64
no-camellia [default] OPENSSL_NO_CAMELLIA (skip dir)
no-ec [option] OPENSSL_NO_EC (skip dir)
no-ecdh [forced] OPENSSL_NO_ECDH (skip dir)
no-ecdsa [forced] OPENSSL_NO_ECDSA (skip dir)
...
?
________________________________
From: dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> on
behalf of Hanno Böck <ha...@hboeck.de>
Sent: 08 July 2022 10:28
To: dev-security-policy@mozilla.org <dev-security-policy@mozilla.org>
Subject: Debian Weak Keys and ECDSA
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe.
Hi,
Given that not so long ago there was extensive discussion on this list
about certificates affected by the 2008 Debian OpenSSL bug [1] and
there seem to be related discussions in the CA/Browser Forum [2] I
wanted to share something:
It seems it is widely believed that the Debian OpenSSL bug does not
affect ECDSA / elliptic curve keys [3]. However that is not true. The
affected Debian versions used OpenSSL 0.9.8, which had support for EC
keys.
The source of this confusion seems to be a footnote in a paper
published shortly after that bug [4] ("but the version of OpenSSL
deployed on Debian-derived distributions ships without any elliptic
curve support"). That is wrong.
There's of course the question whether this matters. I did some checks
with certificate collections and I found no such keys used in the wild.
This is also maybe not surprising: In 2008 elliptic curve support in
TLS was still quite uncommon and considered unusual.
In any case: If you feel like blocking those keys is important, I have
created the different relevant variations for the typical curves p256
and p385 and shared them here (together with all the relevant RSA/DSA
variations of vulnerable keys):
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbadkeys%2Fdebianopenssl&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hXrR0pDr386J0wZ7H6Zp5bjI%2FWmB7%2BActEVlaigwJ7c%3D&reserved=0
I should note that sometimes this old openssl version seems to generate
broken keys that are not usable. I have not investigated this any
further.
My own tool badkeys will detect such keys:
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbadkeys.info%2F&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=n2%2BSS9wC9Dx%2FPIL4AmzrEzWgxKqHeTWJ837Vcss%2B6Zo%3D&reserved=0
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbadkeys%2Fbadkeys&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=G7Cn2AlEi5IdTdWFmhTPnmiC4zDkO9uM3c7CKuVlbTs%3D&reserved=0
If you want to verify this you may find this script helpful:
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbadkeys%2Fdebianssltools%2Fblob%2Fmain%2Ffetchdwkbin&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BqwpNtzUdIXcOyakvS74m6g9Ts6gNJHVNtSl%2F2kJwpk%3D&reserved=0
It fetches the archived debian openssl packages and the necessary
libraries from the dependencies so you can run them with LD_PRELOAD on
a modern system.
[1]
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fg%2Fmozilla.dev.security.policy%2Fc%2F2uuXLPwGoSA%2Fm%2FbqUDTXPSAgAJ&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PIh7P91mKdVeQRBvu2adA4HtfyFUYuUMEmmNMWyTyjs%3D&reserved=0
[2]
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Farchive.cabforum.org%2Fpipermail%2Fservercert-wg%2F2022-July%2F003260.html&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4GY%2BpoLa21rl%2Bvhd6N8iuJX4kOpjHjgQX3%2BpNCFJc3k%3D&reserved=0
[3]
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.letsencrypt.org%2Ft%2Fis-it-possible-to-make-ecdsa-keys-with-insecure-debian-openssl%2F133847&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=e6c3XqeNoZTm61MyRu3L93hgN3RZietZnnqYs6skm7s%3D&reserved=0
[4]
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhovav.net%2Fucsd%2Fdist%2Fdebiankey.pdf&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KI0wGcGEmUsXaS9kOM2ZGeDwU4pGDTcrI5MvjaUAbv8%3D&reserved=0
--
Hanno Böck
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhboeck.de%2F&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=IA8oqofl9GrGmenndCb%2BoQqw8c8WA%2B1GkLf5g%2FjmaEI%3D&reserved=0
--
You received this message because you are subscribed to the Google Groups
"dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dev-security-policy+unsubscr...@mozilla.org.
To view this discussion on the web visit
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2F20220708112853.51605585%2540computer&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6FIAqujVyJzHSNqSNty%2B5tvqZJ1QlwL22bEnN%2B2u64o%3D&reserved=0.
--
You received this message because you are subscribed to the Google Groups
"dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dev-security-policy+unsubscr...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729410BDA8D258087F95B5EAA829%40MW4PR17MB4729.namprd17.prod.outlook.com.
