Hi,
Given that not so long ago there was extensive discussion on this list
about certificates affected by the 2008 Debian OpenSSL bug [1] and
there seem to be related discussions in the CA/Browser Forum [2] I
wanted to share something:
It seems it is widely believed that the Debian OpenSSL bug does not
affect ECDSA / elliptic curve keys [3]. However that is not true. The
affected Debian versions used OpenSSL 0.9.8, which had support for EC
keys.
The source of this confusion seems to be a footnote in a paper
published shortly after that bug [4] ("but the version of OpenSSL
deployed on Debian-derived distributions ships without any elliptic
curve support"). That is wrong.
There's of course the question whether this matters. I did some checks
with certificate collections and I found no such keys used in the wild.
This is also maybe not surprising: In 2008 elliptic curve support in
TLS was still quite uncommon and considered unusual.
In any case: If you feel like blocking those keys is important, I have
created the different relevant variations for the typical curves p256
and p385 and shared them here (together with all the relevant RSA/DSA
variations of vulnerable keys):
https://github.com/badkeys/debianopenssl
I should note that sometimes this old openssl version seems to generate
broken keys that are not usable. I have not investigated this any
further.
My own tool badkeys will detect such keys:
https://badkeys.info/
https://github.com/badkeys/badkeys
If you want to verify this you may find this script helpful:
https://github.com/badkeys/debianssltools/blob/main/fetchdwkbin
It fetches the archived debian openssl packages and the necessary
libraries from the dependencies so you can run them with LD_PRELOAD on
a modern system.
[1]
https://groups.google.com/g/mozilla.dev.security.policy/c/2uuXLPwGoSA/m/bqUDTXPSAgAJ
[2]
https://archive.cabforum.org/pipermail/servercert-wg/2022-July/003260.html
[3]
https://community.letsencrypt.org/t/is-it-possible-to-make-ecdsa-keys-with-insecure-debian-openssl/133847
[4] https://hovav.net/ucsd/dist/debiankey.pdf
--
Hanno Böck
https://hboeck.de/
--
You received this message because you are subscribed to the Google Groups
"dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dev-security-policy+unsubscr...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220708112853.51605585%40computer.
