Re: [Sks-devel] old certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Apr 29, 2014 at 12:52:54PM +0200, Kiss Gabor (Bitman) wrote: >Dear all, > >A quick scan of certificates used by current HKPS pool members >shows that the following servers have pre-heartbleed certificate: > >sks.mrball.net Oct 4 22:02:56 2013 GMT I was running openssql-1.0.1e, and I upgraded last week to openssl-1.0.1g (my build). My old cert has been revoked by Kristian and I am now running with a new cert. - -- Regards... Todd Exponential problems need logarithmic solutions. --Eddy Dreger Linux kernel 2.6.32-431.1.2.0.1.el6.x86_64 1 user, load average: 0.00, 0.00, 0.00 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlNqll8ACgkQIBT1264ScBWUyQCeMWKpW6WZDs377UwDPxqKDA3t BHYAniAZ6kVAk/2gz5IqmBDGNftQruvk =0QxF -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
On 04/29/2014 06:52 AM, Kiss Gabor (Bitman) wrote: > sks.undergrid.net Nov 14 17:52:09 2013 GMT > > I ask everybody to declare if they did not use compromised version > of openssl since the start of validity period of certificate. > I do not believe my hosts were running compromised versions of openssl but I'm not 100% certain; however, as several of my other SSL certificates on other servers are due to expire and a few were running compromised versions I am going through and re-keying my entire SSL environment so I'll be getting a new key and CSR generated and sent in. It is my hope to get this done over the weekend as my schedule has been crazy thus far just getting all the hosts upgraded. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
James Cloos writes: "KG" == Kiss Gabor (Bitman) writes: KG> I ask everybody to declare if they did not use compromised version KG> of openssl since the start of validity period of certificate. The cert currently used by keys.jhcloos.com, issued 2014/April/11, was generated by gnutls and, where used with openssl, only used with 1.0.1g. sks.disunitedstates.com is using a Class 2 StartSSL certificate, generated since heartbleed, used only with versions of openssl that have been patched for heartbleed. -- David Benfell See https://parts-unknown.org/node/2 if you do not understand the attachment. pgpi6YKmTerUA.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
> "KG" == Kiss Gabor (Bitman) writes: KG> I ask everybody to declare if they did not use compromised version KG> of openssl since the start of validity period of certificate. The cert currently used by keys.jhcloos.com, issued 2014/April/11, was generated by gnutls and, where used with openssl, only used with 1.0.1g. -JimC -- James Cloos OpenPGP: 0x997A9F17ED7DAEA6 signature.asc Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
Dear all, On Tue, Apr 29, 2014 at 12:52:54PM +0200, Kiss Gabor (Bitman) wrote: keys.alderwick.co.ukFeb 7 18:22:08 2014 GMT keys2.alderwick.co.uk Feb 7 18:22:36 2014 GMT They were vulnerable for a couple of days, so I've replaced their private keys and certs. Thanks very much for the scan, Gabor! Best wishes, Andy signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 04/30/2014 03:16 AM, Christoph Anton Mitterer wrote: > On Tue, 2014-04-29 at 12:52 +0200, Kiss Gabor (Bitman) wrote: >> a.keyserver.pki.scientia.net Aug 4 15:32:48 2013 GMT > Well I've wrote Kristian an email with an new CSR some week or so > ago,... but no reply yet... or have I overseen something? > ... no, but I have... thanks for the heads up, a new cert should be in the mail.. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Ne nuntium necare Don't kill the messenger -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTYLD0AAoJEPw7F94F4Tag2MIP/2Wrco/0C9xki1KrKML9a2Pl lXGaK5ASZSXY8W6t8FCEsjyLr1LnnknpzwRA0e2ZTI9hec3IkS4f0H3G+J+oTblr xYi+2nn4oe+XvtaLEutrZD34FdzZQX/KGBZFBYl7Cq7aAQOApYq4t+sU3fQEtSBh sobsPqRVJ476rKbEi0g6JB+YCx2gY4MQpj56OSEJhBZG3fMpeHhbEptsWm87Fl1w X8HAOL4SoqL32DPEytAKyL4kD9/b04siRRV0b/K4Wj45oJB2Qje9nuEvRG1+6kpy U9xXbDp9cC/zJKPZa8adFbKr3yhPJKCZWG8og8II7+QsEH5zEp+unIESeJda+UZf cm2GMz5m7il/4sbtNUPuezS3ttJjTh4vDTjcFvl6cZ/ZfUV21XUc8zXhJyj1QKGA 5a8njjafewADSvXTopDj2Flho0FzGi5Gl3i/WEIfc2oJZZYYlsdW4bHRxZeiw87d 64XCOdGskQtoFo8v4u/lbojtuqzzWgkQAtcxEPRZpQQ39HQpIOXqo6MQekLySrUL idWexs07Oav5LloIlg0xflaU7zbNrLE3ssQgE16FkeeGOCCQhVrC1gEaNRcmawlG RIgkHzPY9Pyc8PbeS7Ws1taE+6aVzC5WfTXx9PL4NCaBZllrOFqAVN8ERAOognqZ 3ST3XJULV36rxlUVSSb1 =LR6o -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
On Tue, 2014-04-29 at 12:52 +0200, Kiss Gabor (Bitman) wrote: > a.keyserver.pki.scientia.net Aug 4 15:32:48 2013 GMT Well I've wrote Kristian an email with an new CSR some week or so ago,... but no reply yet... or have I overseen something? Cheers, Chris smime.p7s Description: S/MIME cryptographic signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
On Apr 29, 2014, at 6:52, Kiss Gabor (Bitman) wrote: > Dear all, > > A quick scan of certificates used by current HKPS pool members > shows that the following servers have pre-heartbleed certificate: > ... > keyserver.witopia.net Nov 7 22:13:57 2013 GMT ... > I bet at least one third of these servers is affected by > Heartbleed Bug. :-) However I cannot figure out which of them. > I ask everybody to declare if they did not use compromised version > of openssl since the start of validity period of certificate. > > Gabor > Hi, Gabor — from the time keyserver.witopia.net was created, it was running an old version of freebsd9, and thus a 0.9.8-something version of openssl, so it was pre-heartbleed. Phew! Let me know if you need this signed by any other alias (such as nth at witopia dot net) and I’ll be glad to send you something direct. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Gabor/Kristian, On 29/04/2014 11:52, Kiss Gabor (Bitman) wrote:> Dear all, > > A quick scan of certificates used by current HKPS pool members > shows that the following servers have pre-heartbleed certificate: > > pgpkeys.eu Mar 9 12:48:04 2014 GMT I've updated the above server with a new cert from Kristian. Thanks, Daniel. -BEGIN PGP SIGNATURE- Version: Encryption Desktop 10.3.1 (Build 13100) Charset: utf-8 wsFVAwUBU1/miDmvNPSdqqOuAQobXBAAn1Pa3IpjfskVj8NX7xOp0levZjJt3Pee +dnxcNF8Gk2ZK+uNZilEm6xOpbbcjAhMjarHG0kon+lEFdjxYzCefUoL+mFXYKsO R9AILgMqoNZ9903smWlnSV+KiQMvyDN1LHk3Eyhb7Yrap0aHSYJ1vfbOD1jrR8p6 mDVXkBEqi8QdyqAS6sXjiH8Jm67HaauW5XLxRuVb3G5LJ0Sk+cU70XPeEDvgBOZ/ n2KXzCJlEs6VcJeg0dTfiNohqmpp3dq4z8vOVhixHFevoaMi99Y1rVXScHIGqDP3 QZV76ZZjlLziQeVrMyu2JK8sKQ3iDaBIpBCq1rC8MT+rZRlMzSi7sDKrphjNuCXQ LlR8iCiDLJfOd5P2drq+XGGcAyvpFu8gcJTf6lPAxpeZdlh2lLA57DatK2K7QMws fuy9WR/xwCENXvXS6JftwT0WzmvHLvy2Ywc+CMdHX51wDGXarkSeE8/uQsIozuCn R4CULTmF9tj3E3vJGlLyeN9JlRIbCs++WAzQD9VvZDPmoFRMNZbi7FOva5iNdY/R qZcClV44aj/clTQICAa6NbP8r/C2G70sE44C8iQH6hKUrloBGPYzTisI7iMXcKa/ wiOB1y2A/pM/O4KExEa3pSoFrBs3/ErE1P5ZCEvQwKwYbk9jXaUYJ0FM0a5mdU0X NWpl8UEymBc= =1mTN -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
On 29.04.2014 14:07, Gabor Kiss wrote: I'm not on the list and if you connect to my server I did not. This was the command: for server in a.keyserver.pki.scientia.net key.adeti.org key.ip6.li \ keys.alderwick.co.uk keys.fedoraproject.org keys.niif.hu keys.sflc.info \ keys2.alderwick.co.uk keys2.kfwebs.net keyserver.codinginfinity.com \ keyserver.secretresearchfacility.com keyserver.secure-u.de \ keyserver.skoopsmedia.net keyserver.ut.mephi.ru keyserver.witopia.net \ klucze.achjoj.info pgpkeys.eu sks.alpha-labs.net sks.fidocon.de \ sks.karotte.org sks.mrball.net sks.spodhuis.org sks.undergrid.net \ zimmermann.mayfirst.org do echo $server openssl s_client -servername hkps.pool.sks-keyservers.net \ -connect $server:443 /dev/null | openssl x509 -noout -text | grep 'Not Before' done That command could be used to remove one pipe fork by changing "openssl x509 -noout -text' to 'openssl x509 -noout -startdate' and remove the need for the additional pipe for the grep call. Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
> I'm not on the list and if you connect to my server I did not. This was the command: for server in a.keyserver.pki.scientia.net key.adeti.org key.ip6.li \ keys.alderwick.co.uk keys.fedoraproject.org keys.niif.hu keys.sflc.info \ keys2.alderwick.co.uk keys2.kfwebs.net keyserver.codinginfinity.com \ keyserver.secretresearchfacility.com keyserver.secure-u.de \ keyserver.skoopsmedia.net keyserver.ut.mephi.ru keyserver.witopia.net \ klucze.achjoj.info pgpkeys.eu sks.alpha-labs.net sks.fidocon.de \ sks.karotte.org sks.mrball.net sks.spodhuis.org sks.undergrid.net \ zimmermann.mayfirst.org do echo $server openssl s_client -servername hkps.pool.sks-keyservers.net \ -connect $server:443 /dev/null | openssl x509 -noout -text | grep 'Not Before' done Only the current members of HKPS pool were tested. > (pgp.benny-baumann.de) you will find it will talk to you using a HKPS FYI: s_client fails with your server. ("no peer certificate available") > certificate - but responds your query with plaintext - which is a known > No affected OpenSSL version in the webserver process. Good news. :-) Thanks Gabor ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
Hi, Am 29.04.2014 12:52, schrieb Kiss Gabor (Bitman): > Dear all, > > A quick scan of certificates used by current HKPS pool members > shows that the following servers have pre-heartbleed certificate: > > a.keyserver.pki.scientia.net Aug 4 15:32:48 2013 GMT > key.adeti.org Mar 9 12:35:57 2014 GMT > key.ip6.liNov 9 14:26:10 2013 GMT > keys.alderwick.co.uk Feb 7 18:22:08 2014 GMT > keys.fedoraproject.orgAug 6 08:22:21 2013 GMT > keys.sflc.infoOct 2 19:57:20 2013 GMT > keys2.alderwick.co.uk Feb 7 18:22:36 2014 GMT > keyserver.codinginfinity.com Jan 9 21:24:09 2014 GMT > keyserver.secretresearchfacility.com Jul 5 00:02:38 2013 GMT > keyserver.secure-u.de Jan 13 19:18:27 2014 GMT Will poke the maintainer accordingly, server probably affected AFAIK. > keyserver.skoopsmedia.net Nov 19 18:24:26 2013 GMT > keyserver.ut.mephi.ru Nov 13 12:45:02 2013 GMT > keyserver.witopia.net Nov 7 22:13:57 2013 GMT > klucze.achjoj.infoNov 13 19:37:55 2013 GMT > pgpkeys.euMar 9 12:48:04 2014 GMT > sks.fidocon.deAug 31 11:22:45 2013 GMT Same person. Same procedure. > sks.karotte.org Jul 4 21:10:30 2013 GMT > sks.mrball.netOct 4 22:02:56 2013 GMT > sks.undergrid.net Nov 14 17:52:09 2013 GMT > zimmermann.mayfirst.org Nov 13 20:49:36 2013 GMT I'm not on the list and if you connect to my server (pgp.benny-baumann.de) you will find it will talk to you using a HKPS certificate - but responds your query with plaintext - which is a known bug in the used wrapper (mod_gnutls combined with mod_proxy). Thus: My server is not affected. Once this issue is fixed you'll find the certificate continued being used. > I bet at least one third of these servers is affected by > Heartbleed Bug. :-) However I cannot figure out which of them. > I ask everybody to declare if they did not use compromised version > of openssl since the start of validity period of certificate. No affected OpenSSL version in the webserver process. > Gabor Regards, BenBE. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
Hi there! > A quick scan of certificates used by current HKPS pool members > shows that the following servers have pre-heartbleed certificate: > keyserver.secretresearchfacility.comJul 5 00:02:38 2013 GMT This one had been affected by heartbleed for a few weeks. Well, since I've rebuild ssl to get recent ECC implementation and until the heartbleed patch has been released... I'll create a new key and send Kristian a CSR... I already was aware of that, but thanks for the heads-up, that speeds up things :) cheers, - Stephan ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel