> The source of this confusion seems to be a footnote in a paper published > shortly after that bug [4] ("but the version of OpenSSL deployed on > Debian-derived distributions ships without any elliptic curve support"). That > is wrong.
Hi Hanno. I agree that the OpenSSL 0.9.8 branch contained ECDSA code, but it was possible for distro maintainers to easily disable this during the build process. I know that Red Hat did this due to ECC patent concerns, and I've always assumed that Debian did too. Have you looked into whether or not Debian's 2008 OpenSSL build process started with something like this... > ./config -no-ec -no-ecdh -no-ecdsa Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 Configuring for linux-x86_64 no-camellia [default] OPENSSL_NO_CAMELLIA (skip dir) no-ec [option] OPENSSL_NO_EC (skip dir) no-ecdh [forced] OPENSSL_NO_ECDH (skip dir) no-ecdsa [forced] OPENSSL_NO_ECDSA (skip dir) ... ? ________________________________ From: dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> on behalf of Hanno Böck <ha...@hboeck.de> Sent: 08 July 2022 10:28 To: dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> Subject: Debian Weak Keys and ECDSA CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi, Given that not so long ago there was extensive discussion on this list about certificates affected by the 2008 Debian OpenSSL bug [1] and there seem to be related discussions in the CA/Browser Forum [2] I wanted to share something: It seems it is widely believed that the Debian OpenSSL bug does not affect ECDSA / elliptic curve keys [3]. However that is not true. The affected Debian versions used OpenSSL 0.9.8, which had support for EC keys. The source of this confusion seems to be a footnote in a paper published shortly after that bug [4] ("but the version of OpenSSL deployed on Debian-derived distributions ships without any elliptic curve support"). That is wrong. There's of course the question whether this matters. I did some checks with certificate collections and I found no such keys used in the wild. This is also maybe not surprising: In 2008 elliptic curve support in TLS was still quite uncommon and considered unusual. In any case: If you feel like blocking those keys is important, I have created the different relevant variations for the typical curves p256 and p385 and shared them here (together with all the relevant RSA/DSA variations of vulnerable keys): https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbadkeys%2Fdebianopenssl&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hXrR0pDr386J0wZ7H6Zp5bjI%2FWmB7%2BActEVlaigwJ7c%3D&reserved=0 I should note that sometimes this old openssl version seems to generate broken keys that are not usable. I have not investigated this any further. My own tool badkeys will detect such keys: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbadkeys.info%2F&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=n2%2BSS9wC9Dx%2FPIL4AmzrEzWgxKqHeTWJ837Vcss%2B6Zo%3D&reserved=0 https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbadkeys%2Fbadkeys&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=G7Cn2AlEi5IdTdWFmhTPnmiC4zDkO9uM3c7CKuVlbTs%3D&reserved=0 If you want to verify this you may find this script helpful: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbadkeys%2Fdebianssltools%2Fblob%2Fmain%2Ffetchdwkbin&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BqwpNtzUdIXcOyakvS74m6g9Ts6gNJHVNtSl%2F2kJwpk%3D&reserved=0 It fetches the archived debian openssl packages and the necessary libraries from the dependencies so you can run them with LD_PRELOAD on a modern system. [1] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fg%2Fmozilla.dev.security.policy%2Fc%2F2uuXLPwGoSA%2Fm%2FbqUDTXPSAgAJ&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PIh7P91mKdVeQRBvu2adA4HtfyFUYuUMEmmNMWyTyjs%3D&reserved=0 [2] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Farchive.cabforum.org%2Fpipermail%2Fservercert-wg%2F2022-July%2F003260.html&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4GY%2BpoLa21rl%2Bvhd6N8iuJX4kOpjHjgQX3%2BpNCFJc3k%3D&reserved=0 [3] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.letsencrypt.org%2Ft%2Fis-it-possible-to-make-ecdsa-keys-with-insecure-debian-openssl%2F133847&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=e6c3XqeNoZTm61MyRu3L93hgN3RZietZnnqYs6skm7s%3D&reserved=0 [4] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhovav.net%2Fucsd%2Fdist%2Fdebiankey.pdf&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KI0wGcGEmUsXaS9kOM2ZGeDwU4pGDTcrI5MvjaUAbv8%3D&reserved=0 -- Hanno Böck https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhboeck.de%2F&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=IA8oqofl9GrGmenndCb%2BoQqw8c8WA%2B1GkLf5g%2FjmaEI%3D&reserved=0 -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2F20220708112853.51605585%2540computer&data=05%7C01%7Crob%40sectigo.com%7C7605928cf95f4802640a08da60c4490b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928695060081543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6FIAqujVyJzHSNqSNty%2B5tvqZJ1QlwL22bEnN%2B2u64o%3D&reserved=0. -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729410BDA8D258087F95B5EAA829%40MW4PR17MB4729.namprd17.prod.outlook.com.