Out of curiosity I had a brief look at the openssl-vulnkey script and
found the following:

The openssl-vulnkey is implemented as a wrapper around the openssl binary in 
order to check for weak keys.
One of the problems that occur when wrapping the openssl binary instead of 
making use of the openssl libraries is passing the password  to it in a secure 
manner.

man openssl
"
 Several commands accept password arguments, typically using -passin and
       -passout for input and output passwords respectively. These allow the
       password to be obtained from a variety of sources. Both of these
       options take a single argument whose format is described below. If no
       password argument is given and a password is required then the user is
       prompted to enter one: this will typically be read from the current
       terminal with echoing turned off.

       pass:password
                 the actual password is password. Since the password is visi‐
                 ble to utilities (like ’ps’ under Unix) this form should only
                 be used where security is not important.
"

The openssl-vulnkey calls three functions (get_type, get_bits and get_modulus) 
in order to get the information it needs in order to check for weak keys.
Each function needs to decrypt the key to get it's information. Hence the three 
pass phrase questions.

Renaming the openvpn-vulnkey to openssl-vulnkey is just as bad as
replacing the openssl-vulnkey with /bin/true and should be avoided if
you have not checked your keys manually and made sure their all OK.

So until the script is modified/fixed we're stuck with either 
- typing the password three times 
- replacing the openssl-vulnkey binary

/Patrik

-- 
network-manager-openvpn is incapable of supplying openssl-vulnkey with the 
X.509 key passphrase it requests
https://bugs.launchpad.net/bugs/230197
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to