Dirk-Willem van Gulik
Fri, 16 May 2008 13:12:20 -0700
Unfortunately the blacklists generated by folks are not quite complete (yet) -- which took me a while to get confirmed and checked for. As a result of that process - and for your entertainment:
1) Full Moduli for affected keys on Little Endian 32 bit linux with GCC 4 - defaults:
http://www.webweaving.org/tmp/moduli-run-1.txt.gz
2) Utility to point at a site to check (for just the above, false
positives galore!):
http://www.webweaving.org/tmp/checksite <fqdn>
As the simplified tables are still in the coming form the debian
community - and it is always good to cross check:
- if you run linux (any recent version) - and if you have a big endian machine - or a 64 bit machine - or if you happen to have a strange LE32bit machine.And a few hours of CPU time on a modern machine.... then could you do me a favour and fetch:
bhttp://www.webweaving.org/tmp/debian-gaffe.tgz
and run a few keys for me ?
The above shell script fetches openssl, compiles a specific variation
an then (re)creates the 32k possible rsa keys, bcreating a file
containing the Moduli (which can then can be cross checked against the
output of openssl's its -modulus flag - when feed the cert of a random
site).
For those on Little Endian, 32 bit machines - just the first 10 - 50 would be great - unless they differ from the included sample.txt - in which case I'd be very interested.
As I'd love to a) confirm that the next release of the debian tools is complete -and- b) I'd like to put to rest concerns I have that the keyspace is actually larger than expected due to gcc or other variations.
Thanks, Dw