Re: [SLUG] Anyone else having problems with Ubuntu's latest openvpn?
On Thu, May 15, 2008 at 07:39:01 +1000, Mary Gardiner wrote: > I haven't tried OpenVPN yet, but a new security advisory came out this > morning saying "A regression was introduced in OpenVPN when using TLS > and multi-client/server which caused OpenVPN to not start when using > valid SSL certificates... It was also found that openssl-vulnkey from That was it. I've applied the latest update and my vpn now works again :-) Now, does anyone know why, if the problem is that only the 15-bit PID was used for entropy when these vulnerable keys were generated, the blacklists contain more than 2^15 keys? The 2048-bit RSA and 1024-bit DSA blacklists each have 98307 entries, and the openvpn blacklist has 98304. H.D. Moore's lists of ssh keys contain only 32K keys each, as I'd expect (http://metasploit.com/users/hdm/tools/debian-openssl/). The reason I ask is that I've generated 32K limited-entropy 1024-bit RSA keys for a blacklist to check some keys we use internally (although it's extremely unlikely any of them were generated on a vulnerable system), and I was wondering if I should be generating more somehow. And if anyone wants my blacklist, let me know & I'll make it available. Thanks, John -- I've had attacks of diarrhea that were cleaner than VisualBasic. -- Lionel Lauer -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Anyone else having problems with Ubuntu's latest openvpn?
On Thu, May 15, 2008, Sonia Hamilton wrote: > Out of interest, what source are you using for your security advisories? Same as John, I subscribe at http://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce and to similar lists for other distros when I'm using them. http://lwn.net/ has regular roundups of all distribution security updates too but I've generally updated by the time I see them. -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Anyone else having problems with Ubuntu's latest openvpn?
On Thu, May 15, 2008 at 09:35:31 +1000, Sonia Hamilton wrote: Hi Sonia, > Out of interest, what source are you using for your security advisories? I get mine from [EMAIL PROTECTED] Cheers, John -- PdS> You obviously haven't used terminfo. All the problems of termcap, a few extras and a layer of nastinesss. It's a wonderful tool. -- Steve O'Hara-Smith -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Anyone else having problems with Ubuntu's latest openvpn?
On Thu, 2008-05-15 at 07:39 +1000, Mary Gardiner wrote: > I haven't tried OpenVPN yet, but a new security advisory came out this > morning saying "A regression was introduced in OpenVPN when using TLS Out of interest, what source are you using for your security advisories? -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Anyone else having problems with Ubuntu's latest openvpn?
On Thu, May 15, 2008 at 07:39:01 +1000, Mary Gardiner wrote: > I haven't tried OpenVPN yet, but a new security advisory came out this > morning saying "A regression was introduced in OpenVPN when using TLS Thanks Mary, I've just seen that too. I'll give it a go later. Cheers, John -- I find this highly amusing, as I am yet to find any difference between `supported' and `unsupported' when it comes to Sybase products. -- Matt McLeod -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Anyone else having problems with Ubuntu's latest openvpn?
I haven't tried OpenVPN yet, but a new security advisory came out this morning saying "A regression was introduced in OpenVPN when using TLS and multi-client/server which caused OpenVPN to not start when using valid SSL certificates... It was also found that openssl-vulnkey from openssl-blacklist would fail when stderr was not available. This caused OpenVPN to fail to start when used with applications such as NetworkManager." So sounds like they're on top of at least some bugs now and you should upgrade: https://lists.ubuntu.com/archives/ubuntu-security-announce/2008-May/000710.html -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Anyone else having problems with Ubuntu's latest openvpn?
G'day sluggers, I updated openvpn on a Ubuntu Feisty server today and discovered that the openvpn server wouldn't allow incoming connections (tried with two different clients). This message appears in syslog when a client tries to connect. May 14 16:45:46 dropbear openvpn[17945]: 59.167.42.155:33826 ERROR: '/etc/openvpn/easy-rsa/keys/server.key' is a known vulnerable key. See 'man openssl-vulnkey' for details. However, when I run openssl-vulnkey on that key file, it says that the key is not blacklisted. The key was not generated on a Debian or Ubuntu system, nor was it generated with a faulty version of openssl. Has anyone else encountered a similar problem? Any ideas why openvpn doesn't like my key even though it's own vulnerability checker says it's OK? Thanks, John -- If it wasn't for CodeRed, my web server would have no-one to talk to. -- Graham Reed -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
