openssl-vulnkey produces 'false negative' when testing with a weak key
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openssl-blacklist (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: openssl-blacklist
************
Update (2008-08-09)
I found it worrying that openssl-vulnkey would not recognize the weak certificate and I have started clarifications which went in different directions. I have a strong speculation which I have not been able to test yet. I use a network which is serviced by a external service provider. HTTPS access to the internet goes through a proxy which seems to terminate outbound traffic. It then creates a separate HTTPS session to the actual server. Put another way: the certificate that I have downloaded in order to perform my test seems to be the one that has been created by the proxy on-the-fly. The subject name seems to be ok but the certificate does not seem to be the original one.
Put another way: openssl-vulnkey appears to be working fine.
Signed:
Urs Wuergler
************
Dear all,
I installed Ubuntu 8.04 yesterday (2008-07-07), applied all relevant updates and installed 'openssl-blacklist' (using 'Update Manager' for all update-related tasks). I then used openssl-vulnkey to give a somewhat prominent, weak certificate a try [1].
To my surprise I received the message: "not blacklisted".
I have used other services such as the reputed
http://
which confirm that the key material is indeed weak.
The OpenSSL version is '0.9.8g 19 OCT 2007' and I also installed 'openssl-
The relevant certificate [1] in base64 encoding:
-----BEGIN CERTIFICATE-----
MIIFETCCBHqgAwI
Q0gxCzAJBgNVBAg
bSBJVCBTZXJ2aWN
BgNVBAMTIFN3aXN
hvcNAQkBFiFlbmd
NzA2MTMyNTA2Whc
BAgTAkJFMQ0wCwY
aWNlcyBBRzEaMBg
ZC5jb2RlZnJvbXR
LmludGVybmV0QHN
gYEA1hnPBCSe45n
9eae5HrU+
0heB9sg2jVBtOuO
MAwGA1UdEwQFMAM
cnRpZmljYXRlIGR
PVVTL1NUPUFyaXp
T1U9aHR0cDovL2N
PUdvIERhZGR5IFN
dW1iZXI9MDc5Njk
ZGVmcm9tdGhlNzB
YmFkLmNvZGVmcm9
SEExIGZpbmdlcnB
OTI6YTU6ZGE6YWQ
OmMyOjYyOmNlOjQ
CgowDQYJKoZIhvc
WVDQsBBVa8gl2LZ
KhotOCudka+
cZtD8Gg=
-----END CERTIFICATE-----
I am not aware of another (potentially more comprehensive) blacklist and assume that openssl-vulnkey should be ready to use.
Any feedback on this would be highly appreciated as I need to verify hundreds of certificates.
Kind regards,
Urs Wuergler
[1] The weak test certificate at https:/
| description: | updated |
| Jamie Strandboge (jdstrand) wrote | #1 |
| Changed in openssl-blacklist: | |
| status: | New → Invalid |
Thanks for your bug report and sorry for the delay in responding. Ubuntu (and Debian) have the most complete blacklists available in the openssl-blacklist and openssl-
I ran openssl-vulnkey on the attached certificate, and it is not in the database. However, I did get the ssl cert from https:/
$ openssl s_client -connect bad.codefromthe
then copied the certificate into a file. Running openssl-vulnkey on this file shows the certificate as compromised, and indeed, the cert from the website and the one supplied in this bug are different. I am therefore marking this bug as invalid. Please feel free to reopen if you have more information.