On Thu, May 15, 2008 at 07:39:01 +1000, Mary Gardiner wrote: > I haven't tried OpenVPN yet, but a new security advisory came out this > morning saying "A regression was introduced in OpenVPN when using TLS > and multi-client/server which caused OpenVPN to not start when using > valid SSL certificates... It was also found that openssl-vulnkey from
That was it. I've applied the latest update and my vpn now works again :-) Now, does anyone know why, if the problem is that only the 15-bit PID was used for entropy when these vulnerable keys were generated, the blacklists contain more than 2^15 keys? The 2048-bit RSA and 1024-bit DSA blacklists each have 98307 entries, and the openvpn blacklist has 98304. H.D. Moore's lists of ssh keys contain only 32K keys each, as I'd expect (http://metasploit.com/users/hdm/tools/debian-openssl/). The reason I ask is that I've generated 32K limited-entropy 1024-bit RSA keys for a blacklist to check some keys we use internally (although it's extremely unlikely any of them were generated on a vulnerable system), and I was wondering if I should be generating more somehow. And if anyone wants my blacklist, let me know & I'll make it available. Thanks, John -- I've had attacks of diarrhea that were cleaner than VisualBasic. -- Lionel Lauer -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
