Re: [Sks-devel] old certificates
On Tue, 2014-04-29 at 12:52 +0200, Kiss Gabor (Bitman) wrote: > a.keyserver.pki.scientia.net Aug 4 15:32:48 2013 GMT Well I've wrote Kristian an email with an new CSR some week or so ago,... but no reply yet... or have I overseen something? Cheers, Chris smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
On Apr 29, 2014, at 6:52, Kiss Gabor (Bitman) wrote: > Dear all, > > A quick scan of certificates used by current HKPS pool members > shows that the following servers have pre-heartbleed certificate: > ... > keyserver.witopia.net Nov 7 22:13:57 2013 GMT ... > I bet at least one third of these servers is affected by > Heartbleed Bug. :-) However I cannot figure out which of them. > I ask everybody to declare if they did not use compromised version > of openssl since the start of validity period of certificate. > > Gabor > Hi, Gabor — from the time keyserver.witopia.net was created, it was running an old version of freebsd9, and thus a 0.9.8-something version of openssl, so it was pre-heartbleed. Phew! Let me know if you need this signed by any other alias (such as nth at witopia dot net) and I’ll be glad to send you something direct. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] SKS peering problems - sks.disunitedstates.com
Hi all, I finally took a few minutes to go through all the "Not OK" peers on my status page at https://sks- keyservers.net/status/info/sks.disunitedstates.com Where I had contact information, I have sent private messages. But there are a few peers for which I was unable to find contact information (at one point, I lost my membership file and recreated it, in part from a page similar to the above. I noticed one peer still points to cybernude.org. This was shut down a while ago. Several still point to disunitedstates.com; I moved the sks server onto its own subdomain at sks.disunitedstates.com a while ago. And two peers seem to have been dead for a while. I have commented out these peers from my membership file because I had no contact information and peering was broken anyway: gpg.nebrwesleyan.edu ice.mudshark.org (apparently dead) keyserver.kjsl.org keyserver.layer42.net pgp.circl.lu sks.powdarrmonkey.net keys.klaus-uwe.me (apparently dead) If the operators of these servers contact me (and, if necessary, resurrect their sks servers), I will be happy to re-establish peering with them. I am also open for new peering arrangements. My membership line is below: sks.disunitedstates.com 11370 # David Benfell 0x1236602B Thanks! -- David Benfell See https://parts-unknown.org/node/2 if you do not understand the attachment. pgp4rNfAgZ2Hy.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Cleaning time
I'm going to follow suit as I'm going to be doing some other general housecleaning on my servers... Candidates I have up on the block are: - keys.andreas-puls.de - keyserver.durcheinandertal.ch - keyserver2.computer42.org - klucze.achjoj.info - pks.aaiedu.hr - sks-server.randala.com - sqsrv.de Most of then are missing keys with one not behind a reverse proxy. I'll check the status again on 2014-05-09 and begin removals on 2014-05-10 if status has not changed. If anyone wants to peer you're welcome to add me to your membership file and let me know so I can add you to mine as well. sks.undergrid.net 11370 # Jeremy T. Bouse 0x15D0A62ED01E190C signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Now with FQDN: keyserver.matteoswelt.de looking for peers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hallo again, finally I also got a domain name. Please feel free to add this line to your membership file and write me yours: keyserver.matteoswelt.de 11370 # Matthias Schreiber 0x586A2E13F52616561BFC32C95B964AE610D49726 Greetings, Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iF4EAREIAAYFAlNgBoQACgkQk8eZk3b5umCukQD9HAyu2PqgCBIixrAjSQA9Ev8q 1EgolMZgibanWO/jeYMBAJbUfeL6vl40XPyYFYEiFY7wpSLAvK3Cho5nARLNBymZ =XO3t -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Gabor/Kristian, On 29/04/2014 11:52, Kiss Gabor (Bitman) wrote:> Dear all, > > A quick scan of certificates used by current HKPS pool members > shows that the following servers have pre-heartbleed certificate: > > pgpkeys.eu Mar 9 12:48:04 2014 GMT I've updated the above server with a new cert from Kristian. Thanks, Daniel. -BEGIN PGP SIGNATURE- Version: Encryption Desktop 10.3.1 (Build 13100) Charset: utf-8 wsFVAwUBU1/miDmvNPSdqqOuAQobXBAAn1Pa3IpjfskVj8NX7xOp0levZjJt3Pee +dnxcNF8Gk2ZK+uNZilEm6xOpbbcjAhMjarHG0kon+lEFdjxYzCefUoL+mFXYKsO R9AILgMqoNZ9903smWlnSV+KiQMvyDN1LHk3Eyhb7Yrap0aHSYJ1vfbOD1jrR8p6 mDVXkBEqi8QdyqAS6sXjiH8Jm67HaauW5XLxRuVb3G5LJ0Sk+cU70XPeEDvgBOZ/ n2KXzCJlEs6VcJeg0dTfiNohqmpp3dq4z8vOVhixHFevoaMi99Y1rVXScHIGqDP3 QZV76ZZjlLziQeVrMyu2JK8sKQ3iDaBIpBCq1rC8MT+rZRlMzSi7sDKrphjNuCXQ LlR8iCiDLJfOd5P2drq+XGGcAyvpFu8gcJTf6lPAxpeZdlh2lLA57DatK2K7QMws fuy9WR/xwCENXvXS6JftwT0WzmvHLvy2Ywc+CMdHX51wDGXarkSeE8/uQsIozuCn R4CULTmF9tj3E3vJGlLyeN9JlRIbCs++WAzQD9VvZDPmoFRMNZbi7FOva5iNdY/R qZcClV44aj/clTQICAa6NbP8r/C2G70sE44C8iQH6hKUrloBGPYzTisI7iMXcKa/ wiOB1y2A/pM/O4KExEa3pSoFrBs3/ErE1P5ZCEvQwKwYbk9jXaUYJ0FM0a5mdU0X NWpl8UEymBc= =1mTN -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
On 29.04.2014 14:07, Gabor Kiss wrote: I'm not on the list and if you connect to my server I did not. This was the command: for server in a.keyserver.pki.scientia.net key.adeti.org key.ip6.li \ keys.alderwick.co.uk keys.fedoraproject.org keys.niif.hu keys.sflc.info \ keys2.alderwick.co.uk keys2.kfwebs.net keyserver.codinginfinity.com \ keyserver.secretresearchfacility.com keyserver.secure-u.de \ keyserver.skoopsmedia.net keyserver.ut.mephi.ru keyserver.witopia.net \ klucze.achjoj.info pgpkeys.eu sks.alpha-labs.net sks.fidocon.de \ sks.karotte.org sks.mrball.net sks.spodhuis.org sks.undergrid.net \ zimmermann.mayfirst.org do echo $server openssl s_client -servername hkps.pool.sks-keyservers.net \ -connect $server:443 /dev/null | openssl x509 -noout -text | grep 'Not Before' done That command could be used to remove one pipe fork by changing "openssl x509 -noout -text' to 'openssl x509 -noout -startdate' and remove the need for the additional pipe for the grep call. Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
> I'm not on the list and if you connect to my server
I did not. This was the command:
for server in a.keyserver.pki.scientia.net key.adeti.org key.ip6.li \
keys.alderwick.co.uk keys.fedoraproject.org keys.niif.hu keys.sflc.info \
keys2.alderwick.co.uk keys2.kfwebs.net keyserver.codinginfinity.com \
keyserver.secretresearchfacility.com keyserver.secure-u.de \
keyserver.skoopsmedia.net keyserver.ut.mephi.ru keyserver.witopia.net \
klucze.achjoj.info pgpkeys.eu sks.alpha-labs.net sks.fidocon.de \
sks.karotte.org sks.mrball.net sks.spodhuis.org sks.undergrid.net \
zimmermann.mayfirst.org
do
echo $server
openssl s_client -servername hkps.pool.sks-keyservers.net \
-connect $server:443 /dev/null |
openssl x509 -noout -text |
grep 'Not Before'
done
Only the current members of HKPS pool were tested.
> (pgp.benny-baumann.de) you will find it will talk to you using a HKPS
FYI:
s_client fails with your server. ("no peer certificate available")
> certificate - but responds your query with plaintext - which is a known
> No affected OpenSSL version in the webserver process.
Good news. :-)
Thanks
Gabor
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
Hi, Am 29.04.2014 12:52, schrieb Kiss Gabor (Bitman): > Dear all, > > A quick scan of certificates used by current HKPS pool members > shows that the following servers have pre-heartbleed certificate: > > a.keyserver.pki.scientia.net Aug 4 15:32:48 2013 GMT > key.adeti.org Mar 9 12:35:57 2014 GMT > key.ip6.liNov 9 14:26:10 2013 GMT > keys.alderwick.co.uk Feb 7 18:22:08 2014 GMT > keys.fedoraproject.orgAug 6 08:22:21 2013 GMT > keys.sflc.infoOct 2 19:57:20 2013 GMT > keys2.alderwick.co.uk Feb 7 18:22:36 2014 GMT > keyserver.codinginfinity.com Jan 9 21:24:09 2014 GMT > keyserver.secretresearchfacility.com Jul 5 00:02:38 2013 GMT > keyserver.secure-u.de Jan 13 19:18:27 2014 GMT Will poke the maintainer accordingly, server probably affected AFAIK. > keyserver.skoopsmedia.net Nov 19 18:24:26 2013 GMT > keyserver.ut.mephi.ru Nov 13 12:45:02 2013 GMT > keyserver.witopia.net Nov 7 22:13:57 2013 GMT > klucze.achjoj.infoNov 13 19:37:55 2013 GMT > pgpkeys.euMar 9 12:48:04 2014 GMT > sks.fidocon.deAug 31 11:22:45 2013 GMT Same person. Same procedure. > sks.karotte.org Jul 4 21:10:30 2013 GMT > sks.mrball.netOct 4 22:02:56 2013 GMT > sks.undergrid.net Nov 14 17:52:09 2013 GMT > zimmermann.mayfirst.org Nov 13 20:49:36 2013 GMT I'm not on the list and if you connect to my server (pgp.benny-baumann.de) you will find it will talk to you using a HKPS certificate - but responds your query with plaintext - which is a known bug in the used wrapper (mod_gnutls combined with mod_proxy). Thus: My server is not affected. Once this issue is fixed you'll find the certificate continued being used. > I bet at least one third of these servers is affected by > Heartbleed Bug. :-) However I cannot figure out which of them. > I ask everybody to declare if they did not use compromised version > of openssl since the start of validity period of certificate. No affected OpenSSL version in the webserver process. > Gabor Regards, BenBE. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
Hi there! > A quick scan of certificates used by current HKPS pool members > shows that the following servers have pre-heartbleed certificate: > keyserver.secretresearchfacility.comJul 5 00:02:38 2013 GMT This one had been affected by heartbleed for a few weeks. Well, since I've rebuild ssl to get recent ECC implementation and until the heartbleed patch has been released... I'll create a new key and send Kristian a CSR... I already was aware of that, but thanks for the heads-up, that speeds up things :) cheers, - Stephan ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Configuring the reverse proxy to support large keys - HTTP error 413
Hi, thanks for the information; I have now updated my nginx configuration. :) Best regards, Tobias Frei Am 28.04.2014 18:25, schrieb Kristian Fiskerstrand: > I've received reports that uploading some (large) keys to some of the > keyservers in the pool (my test shows failure on 30 servers after > trying to run against 115: These are listed in [A]) results in a > gpgkeys: HTTP post error 22: The requested URL returned error: 413 > Request Entity Too Large > > In this case the Content-Length is 1377406, seemingly exceeding the > default nginx configuration. The fix for nginx is to set > client_max_body_size 2m; (or larger) in the http context of nginx.conf. > > I have not yet implemented an automated check for this in the pool > (and a bit unsure how I'd do it without actually sending large amount > of data to the server during the check, something I generally want to > avoid), but might run a semi-manual / scripted check and add affected > servers to the blacklist if the issue persists after some time. > > gpg2 --send-key DE7AAF6E94C09C7F can be used to test. > > Please consider re-configuring the servers accordingly. > > [A] non-exhaustive list of servers affected > sks.spodhuis.org > zimmermann.mayfirst.org > vm-keyserver.spline.inf.fu-berlin.de > keyserver.mesh.deuxpi.ca > sks.fidocon.de > keys.exosphere.de > keys.sflc.info > pgpkeys.mallos.nl > keyserver.uz.sns.it > openpgp.andrew.kvalhe.im > pgp.gmu.edu > keyserver.compbiol.bio.tu-darmstadt.de > keys2.alderwick.co.uk > keys.alderwick.co.uk > keyserver.advmapper.com > sks.undergrid.net > keys.jhcloos.com > sks.alpha-labs.net > pgpkey.org > keys.indymedia.org > pgp.freiwuppertal.de > keyserver.linuxpro.nl > keyserver.secure-u.de > sks.stsisp.ro > key.ip6.li > keys-01.licoho.de > key.adeti.org > keys-02.licoho.de > keyserver.durcheinandertal.ch > keyserver.blupill.com > > > -- > > Kristian Fiskerstrand > Blog: http://blog.sumptuouscapital.com > Twitter: @krifisk > > Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net > fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 > > Varitatio delectat > Change pleases > > ___ > Sks-devel mailing list > Sks-devel@nongnu.org > https://lists.nongnu.org/mailman/listinfo/sks-devel > smime.p7s Description: S/MIME Cryptographic Signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] old certificates
Dear all, A quick scan of certificates used by current HKPS pool members shows that the following servers have pre-heartbleed certificate: a.keyserver.pki.scientia.netAug 4 15:32:48 2013 GMT key.adeti.org Mar 9 12:35:57 2014 GMT key.ip6.li Nov 9 14:26:10 2013 GMT keys.alderwick.co.ukFeb 7 18:22:08 2014 GMT keys.fedoraproject.org Aug 6 08:22:21 2013 GMT keys.sflc.info Oct 2 19:57:20 2013 GMT keys2.alderwick.co.uk Feb 7 18:22:36 2014 GMT keyserver.codinginfinity.comJan 9 21:24:09 2014 GMT keyserver.secretresearchfacility.comJul 5 00:02:38 2013 GMT keyserver.secure-u.de Jan 13 19:18:27 2014 GMT keyserver.skoopsmedia.net Nov 19 18:24:26 2013 GMT keyserver.ut.mephi.ru Nov 13 12:45:02 2013 GMT keyserver.witopia.net Nov 7 22:13:57 2013 GMT klucze.achjoj.info Nov 13 19:37:55 2013 GMT pgpkeys.eu Mar 9 12:48:04 2014 GMT sks.fidocon.de Aug 31 11:22:45 2013 GMT sks.karotte.org Jul 4 21:10:30 2013 GMT sks.mrball.net Oct 4 22:02:56 2013 GMT sks.undergrid.net Nov 14 17:52:09 2013 GMT zimmermann.mayfirst.org Nov 13 20:49:36 2013 GMT I bet at least one third of these servers is affected by Heartbleed Bug. :-) However I cannot figure out which of them. I ask everybody to declare if they did not use compromised version of openssl since the start of validity period of certificate. Gabor ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
