On 14/05/2018 10:42, Hanno Böck wrote:
Hi,
Yesterday was the 10y anniversary of the Debian OpenSSL random number
generator bug.
A few days ago I did a re-check of the CT logs for vulnerable keys.
I found one unexpired, unrevoked certificate issued by a CA called
"QuoVadis". I reported it and it's been revoked, they told me they'll
check their systems why this certificate issuance wasn't blocked.
https://crt.sh/?id=308235142
I also found an unrevoked Wosign cert that I had already reported last
year. The abuse contact of wosign bounces mails.
(My check was semi-thorough, I didn't have access to all the possible
key combinations that could be generated with the Debian bug. There may
be more certs in the logs.)
You could try the openssl-blacklist package distributed by Debian in
both source and prepackaged form. If you use the packaged form, be sure
to include the openssl-blacklist-extra package which contains the lists
of RSA-4096 and RSA-512 keys.
Their included checking program (in the .diff file) is in Python.
URL: http://ftp.de.debian.org/debian/pool/main/o/openssl-blacklist/
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
