openvpn-vulnkey disagrees with openssl-vulnkey
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl-blacklist (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
openvpn (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
openvpn-blacklist (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: openvpn-blacklist
There are some keys that openssl-vulnkey says are comprised, that openvpn-vulnkey says are not compromised:
$ openvpn-vulnkey sample.key
Not blacklisted: #### sample.key
$ openssl-vulnkey sample.key
COMPROMISED: #### sample.key
I've hashed out some of the output because I'm not sure if leaving it in the bug report presents a security risk, but I can tell you that the hashed out data was different for each command (ie, openvpn-vulnkey printed out a different value to openssl-vulnkey).
Which one should be used and trusted when checking openvpn keys? openvpn itself is using openssl-vulnkey to verify whether keys are blacklisted (this has been reported as a bug in other places). The system administrator at my work ran openvpn-vulnkey against all the keys and is adamant that all our keys are safe. Meanwhile I can't start openvpn because it is using openssl-vulnkey to verify the key, which says its compromised. If openvpn-vulnkey is incorrectly reporting keys as not blacklisted, then this is a serious security issue. The other possibility is that openvpn is incorrectly using openssl-vulnkey.
The release of Ubuntu I am using is 8.04.
Package version is 0.1-0ubuntu0.
Changed in openvpn: | |
status: | New → Invalid |
Changed in openssl-blacklist: | |
status: | New → Invalid |
Thank you for using Ubuntu and taking the time to report a bug. openvpn-vulnkey and openssl-vulnkey tests different types of keys. Specifically, openvpn-vulnkey checks openvpn shared keys as generated with 'openvpn --genkey --secret'. These key files are in a different format from files generated with the openssl command. On the other hand, openssl-vulnkey can check any SSL/TLS x509, CSR or RSA key. OpenVPN can be configured to use either shared keys, or traditional x509 certificates, and it will use openvpn-vulnkey or openssl-vulnkey depending on which type of key in use. For more information, please see 'man openssl-vulnkey' and 'man openvpn-vulnkey'.