[Pkg-openssl-devel] bad debian openssl and -rand option
Christoph Martin
martin at uni-mainz.de
Wed May 21 12:44:38 UTC 2008
Hi Vince,
emaxx-debian schrieb:
> emaxx-debian wrote on 16-5-2008 11:48:
>> Hi,
>>
>> I'm not sure this is the right place for my question, but I guess you
>> will tell me if not.
>>
>> I have some SSL keys and certificates that were generated by the bad
>> openssl library under Debian Etch. Before the DSA was out, I already
>> hoped to add extra randomness by using the '-rand' command line option:
>>
>> openssl genrsa -des3 -rand random.dat -out ${HOSTNAME}.pem 1024
>>
>> random.dat (about 2.5 megabytes) was created on the fly with:
>>
>> dump -f random.dat /dev/random
>>
>> My questions are:
>> - Are these certificates just as unthrustworthy when I didn't use the
>> -rand option?
>> - Does the entropy from random.dat give me enough uniqueness to keep on
>> using these certificates (they are used for an public governmental website)?
>>
>
> Since I didn't get any response on my question above, can somebody
> please tell if this is the right place te ask my questions about the
> openssl debian package?
>
> Since some SSL keys generated by me could be in danger, I really like an
> answer or a pointer where to ask my question.
You might ask on debian-security at lists.debian.org or on
openssl-dev at openssl.org.
If I understand the problem correctly your keys are not compromised,
because you used your own source of entropy with random.dat. But I am
not really shure about this.
Christoph
--
============================================================================
Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
Internet-Mail: Christoph.Martin at Verwaltung.Uni-Mainz.DE
Telefon: +49-6131-3926337
Fax: +49-6131-3922856
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20080521/1cf272dd/attachment.pgp
More information about the Pkg-openssl-devel
mailing list