dirkx at webweaving
May 16, 2008, 1:11 PM
Post #1 of 1
(114 views)
Permalink
|
|
Debian gaffe (DSA-1571-1, CVE-2008-016)
|
|
The debian gaffe also affects any 'req's or self-signed certs created
on the affected platform.
Unfortunately the blacklists generated by folks are not quite complete
(yet) -- which took me a while to get confirmed and checked for. As a
result of that process - and for your entertainment:
1) Full Moduli for affected keys on Little Endian 32 bit linux with
GCC 4 - defaults:
http://www.webweaving.org/tmp/moduli-run-1.txt.gz
2) Utility to point at a site to check (for just the above, false
positives galore!):
http://www.webweaving.org/tmp/checksite <fqdn>
As the simplified tables are still in the coming form the debian
community - and it is always good to cross check:
- if you run linux (any recent version)
- and if you have a big endian machine
- or a 64 bit machine
- or if you happen to have a strange LE32bit machine.
And a few hours of CPU time on a modern machine.... then could you do
me a favour and fetch:
bhttp://www.webweaving.org/tmp/debian-gaffe.tgz
and run a few keys for me ?
The above shell script fetches openssl, compiles a specific variation
an then (re)creates the 32k possible rsa keys, bcreating a file
containing the Moduli (which can then can be cross checked against the
output of openssl's its -modulus flag - when feed the cert of a random
site).
For those on Little Endian, 32 bit machines - just the first 10 - 50
would be great - unless they differ from the included sample.txt - in
which case I'd be very interested.
As I'd love to a) confirm that the next release of the debian tools is
complete -and- b) I'd like to put to rest concerns I have that the
keyspace is actually larger than expected due to gcc or other
variations.
Thanks,
Dw
|
