Flaw Endangers Debian-Based Encryption Keys

tlu · Jul 10, 2008

Ocky said:

I followed suit and also installed the openssl-blacklist extra package. With only
the openssl-blacklist everything was 'Not Blacklisted'.

After installing the extra package I have: 1xKey has Unknown validity;
2x Unsupported exponent, and 1xCompromised (snakeoil.pem ??)

I have just reinstalled Gutsy for my wife (8.04 caused power management
problems with her laptop), and with only openssl-blacklist installed, the only
entry that comes up is the aforementioned "snakeoil" certificate -but Not
Blacklisted (and with different fingerprint).
Looks like everyone has this certificate and whether it is compromised seems to depend on a given
public key algorithm and associated fingerprints. The openssl-blacklist
package obviously didn't include the ones 'found' when also using the 'extra'
pkg. All very confusing.

Regards.
Click to expand...

Ocky, snakeoil.pem was the certificate that was also compromised on my system. I found this thread and executed the command mentioned in post #5. This solved the problem, indeed. However, I'm still unsure what to do with the unknown validity and unsupported exponent certs. I'll have to do some more research.

BTW: Marton Anka, the author of SSL Blacklist, answered my question: "The database I use relies on the entire hash values (all 160 bits) plus some extra information such as creating process ID, etc. The published Ubuntu packages only use the first 80 bits of the hash value."

Ocky · Jul 10, 2008

tlu said:

I found this thread and executed the command mentioned in post #5. This solved the problem, indeed. However, I'm still unsure what to do with the unknown validity and unsupported exponent certs. I'll have to do some more research
Click to expand...

I follow in your footsteps as usual. Yes, thanks, snakeoil cert. can now hold
its head high among its peers in the Not Blacklisted club.
Have set aside about 40 mins. to google for the other stuff, but no luck.

Regards and

Ocky · Jul 14, 2008

I have the exact same output as you, tlu.

Code:

Unsupported exponent '/etc/ssl/certs/Entrust.net_Secure_Personal_CA.pem' (skipping)
Unsupported exponent '/etc/ssl/certs/Entrust.net_Secure_Server_CA.pem' (skipping)
Unsupported exponent '/etc/ssl/certs/Digital_Signature_Trust_Co._Global_CA_3.pem' (skipping)
Unsupported exponent '/etc/ssl/certs/Digital_Signature_Trust_Co._Global_CA_1.pem' (skipping)
Key has unknown validity: /etc/ssl/certs/Verisign_RSA_Secure_Server_CA.pem

(Wollte schon registrieren, aber bemerkte dass der tlu mir zuvorgekommen ist.)

tlu · Jul 14, 2008

Ocky said:

I follow in your footsteps as usual.
Click to expand...

Very frivolous, Ocky, very frivolous!

I have the exact same output as you, tlu.

Code:

Unsupported exponent '/etc/ssl/certs/Entrust.net_Secure_Personal_CA.pem' (skipping)
Unsupported exponent '/etc/ssl/certs/Entrust.net_Secure_Server_CA.pem' (skipping)
Unsupported exponent '/etc/ssl/certs/Digital_Signature_Trust_Co._Global_CA_3.pem' (skipping)
Unsupported exponent '/etc/ssl/certs/Digital_Signature_Trust_Co._Global_CA_1.pem' (skipping)
Key has unknown validity: /etc/ssl/certs/Verisign_RSA_Secure_Server_CA.pem
Click to expand...

Yes, exactly the same entries as here. I haven't had enough time lately to do more research but will not give up.

(Wollte schon registrieren, aber bemerkte dass der tlu mir zuvorgekommen ist.
Click to expand...

Log in or Sign up

Flaw Endangers Debian-Based Encryption Keys

tlu Guest

Ocky Registered Member

Ocky Registered Member

tlu Guest

Log in or Sign up

Flaw Endangers Debian-Based Encryption Keys

tlu Guest

Ocky Registered Member

Ocky Registered Member

tlu Guest

Useful Searches