Your message dated Wed, 22 Jun 2005 14:20:51 +0200
with message-id <[EMAIL PROTECTED]>
has caused the Debian Bug report #314465,
regarding CA.pl and openssl.cnf default to insecure MD5 digest
to be marked as having been forwarded to the upstream software
author(s) [EMAIL PROTECTED]
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
---------------------------------------
Received: (at 314465-forwarded) by bugs.debian.org; 22 Jun 2005 12:21:24 +0000
>From [EMAIL PROTECTED] Wed Jun 22 05:21:24 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mailgate1.verwaltung.uni-mainz.de
(patty.verwaltung.uni-mainz.de) [134.93.144.165]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Dl4EO-0004y0-00; Wed, 22 Jun 2005 05:21:24 -0700
Received: from charlie.verwaltung.uni-mainz.de (charlie.verwaltung.uni-mainz.de
[134.93.226.11])
by patty.verwaltung.uni-mainz.de (8.13.4/8.13.4/Debian-3) with ESMTP id
j5MCKvNK010502
(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT);
Wed, 22 Jun 2005 14:20:57 +0200
Received: from [134.93.226.8] (woodstock.verwaltung.uni-mainz.de [134.93.226.8])
(authenticated bits=0)
by charlie.verwaltung.uni-mainz.de (8.12.3/8.12.3/Debian-7.1) with
ESMTP id j5MCKvbQ016859
(version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO);
Wed, 22 Jun 2005 14:20:57 +0200
Message-ID: <[EMAIL PROTECTED]>
Date: Wed, 22 Jun 2005 14:20:51 +0200
From: Christoph Martin <[EMAIL PROTECTED]>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.6) Gecko/20050331
Thunderbird/1.0.2 Mnenhy/0.7.2.0
X-Accept-Language: de-DE, de, en-us, en
MIME-Version: 1.0
To: openssl-bugs@openssl.org
CC: [EMAIL PROTECTED]
Subject: [Fwd: Bug#314465: CA.pl and openssl.cnf default to insecure MD5 digest]
X-Enigmail-Version: 0.91.0.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enigAC5FE4DF5083A6A17B776F12"
X-Virus-Scanned-From: mailgate1.verwaltung.uni-mainz.de
X-Spam-Scanned-From: mailgate1.verwaltung.uni-mainz.de
X-Scanned-By: MIMEDefang 2.51 on 134.93.226.4
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigAC5FE4DF5083A6A17B776F12
Content-Type: multipart/mixed;
boundary="------------030205020607040602040209"
This is a multi-part message in MIME format.
--------------030205020607040602040209
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Hi folks,
can you please comment on this bug report I got via the Debian
bug-tracking system. This is the first time, that I heard someone saying
that the theoretical weekness of md5 is a real security hole.
Christoph
--
============================================================================
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
Internet-Mail: [EMAIL PROTECTED]
Telefon: +49-6131-3926337
Fax: +49-6131-3922856
--------------030205020607040602040209
Content-Type: message/rfc822;
name="Bug#314465: CA.pl and openssl.cnf default to insecure MD5 digest"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Bug#314465: CA.pl and openssl.cnf default to insecure MD5 digest"
Return-Path: <[EMAIL PROTECTED]>
Received: from mailgate1.zdv.Uni-Mainz.DE (mailgate1.zdv.Uni-Mainz.DE
[134.93.178.129])
by wintermute.verwaltung.uni-mainz.de (8.12.3/8.12.3/Debian-7.1) with
ESMTP id j5GDNEi5009442
for <[EMAIL PROTECTED]>; Thu, 16 Jun 2005 15:23:14 +0200
Received: from exfront01.zdv.uni-mainz.de (exfront01.zdv.Uni-Mainz.DE
[134.93.176.49])
by mailgate1.zdv.Uni-Mainz.DE (Postfix) with ESMTP id 97F81300085F
for <[EMAIL PROTECTED]>; Thu, 16 Jun 2005 15:23:14 +0200 (CEST)
Received: from spamgate1.zdv.Uni-Mainz.DE ([134.93.177.65]) by
exfront01.zdv.uni-mainz.de with Microsoft SMTPSVC(6.0.3790.211);
Thu, 16 Jun 2005 15:23:14 +0200
Received: from mailgate2.zdv.Uni-Mainz.DE (mailgate2.zdv.Uni-Mainz.DE
[134.93.178.130])
by spamgate1.zdv.Uni-Mainz.DE (8.12.10/8.12.2) with ESMTP id
j5GDN7gQ012238
for <[EMAIL PROTECTED]>; Thu, 16 Jun 2005 15:23:08 +0200 (MEST)
Received: from spohr.debian.org (spohr.debian.org [140.211.166.43])
by mailgate2.zdv.Uni-Mainz.DE (Postfix) with ESMTP id 6D8833000393
for <[EMAIL PROTECTED]>; Thu, 16 Jun 2005 15:23:07 +0200 (CEST)
Received: from debbugs by spohr.debian.org with local (Exim 3.35 1 (Debian))
id 1DiuFu-00070o-00; Thu, 16 Jun 2005 06:18:02 -0700
X-Loop: [EMAIL PROTECTED]
Subject: Bug#314465: CA.pl and openssl.cnf default to insecure MD5 digest
Reply-To: Andreas Bogk <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Resent-From: Andreas Bogk <[EMAIL PROTECTED]>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Christoph Martin <[EMAIL PROTECTED]>
Resent-Date: Thu, 16 Jun 2005 13:18:01 UTC
Resent-Message-ID: <[EMAIL PROTECTED]>
X-Debian-PR-Message: report 314465
X-Debian-PR-Package: openssl
X-Debian-PR-Keywords: security
Received: via spool by [EMAIL PROTECTED] id=B.111892713712913
(code B ref -1); Thu, 16 Jun 2005 13:18:01 UTC
Received: (at submit) by bugs.debian.org; 16 Jun 2005 13:05:37 +0000
Received: from (homer.berlin.jpk.com) [212.222.128.18]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Diu3t-0003Fv-00; Thu, 16 Jun 2005 06:05:37 -0700
Received: from root by homer.berlin.jpk.com with local (Exim 4.50)
id 1Diu2n-0007e3-Rn
for [EMAIL PROTECTED]; Thu, 16 Jun 2005 15:04:29 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Andreas Bogk <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
X-Mailer: reportbug 3.8
Date: Thu, 16 Jun 2005 15:04:29 +0200
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-2.599 required=5 tests=BAYES_00 version=3.0.3
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-Spam-Level:
Resent-Sender: Debian BTS <[EMAIL PROTECTED]>
X-Virus-Scanned: by amavisd-new at uni-mainz.de
X-OriginalArrivalTime: 16 Jun 2005 13:23:14.0312 (UTC)
FILETIME=[8CC16880:01C57276]
X-Virus-Scanned: by amavisd-new at uni-mainz.de
X-Scanned-By: MIMEDefang 2.51 on 134.93.225.251
X-UID: 6996
X-Keywords: NonJunk
Package: openssl
Version: 0.9.7e-3
Severity: grave
Tags: security
Justification: user security hole
openssl.cnf defaults to usage of MD5 as digest algorithm for generation
of certificates and CAs. MD5 must be considered broken beyond hope,
we're not just talking about theoretical attacks, but attacks feasible
for everybody. X.509 keys with colliding checksums (and thus false
certificates) have been shown. See:
http://www.cits.rub.de/MD5Collisions/
for another example.
Unfortunately, there seem to be problems with RIPEMD160 in practice
(e.g. the Debian Thunderbird package doesn't understand RIPEMD160). So
the only reasonable choice at the moment is SHA-1, even though SHA-1 has
been theoretically weakend already, and RIPEMD160 would be preferable.
I suggest adding
default_md: sha-1
in the req and ca sections of openssl.cnf, and talking the upstream
maintainers into supporting SHA-384 or SHA-512.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Versions of packages openssl depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libssl0.9.7 0.9.7e-3 SSL shared libraries
-- no debconf information
--------------030205020607040602040209--
--------------enigAC5FE4DF5083A6A17B776F12
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCuVepgeVih7XOVJcRAlV9AJ9ohMryrdoavtk/DXFpShpajSScyQCeJz5d
QVGiZ35XqEjb/nirqixIv+A=
=m1aX
-----END PGP SIGNATURE-----
--------------enigAC5FE4DF5083A6A17B776F12--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
