Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 10 Apr 2014 12:02:39 +0300
From: Georgi Guninski <guninski@...inski.com>
To: oss-security@...ts.openwall.com
Subject: Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ?

Someone suggested not using self signed certs.
Created RSA CA and DSA cert with g=1

$ openssl x509 -text -in certg=1.pem
G:    1 (0x1)

#server
$openssl s_server -accept 8888 -cert ./certg=1.pem -key certg=1.key -CAfile ./cacert.pem -www

#client
$ openssl s_client -connect localhost:8888 -showcerts -CAfile cacert.pem
Verify return code: 0 (ok)

Works in konqueror but not on firefox/nss for me.


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e9:fd:3b:43:46:e2:a6:48
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=Some-State, O=RSA1, CN=RSA1
        Validity
            Not Before: Apr 10 08:25:31 2014 GMT
            Not After : Apr  9 08:25:31 2017 GMT
        Subject: C=AU, ST=Some-State, O=RSA1, CN=RSA1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ee:7f:6d:8e:01:58:23:68:80:85:dc:a5:e0:0c:
                    39:ae:16:20:84:af:67:ee:5f:f7:f7:f2:57:e3:b1:
                    a3:ef:d5:f1:2e:9f:46:d7:c0:9e:8f:bd:94:56:d2:
                    74:2a:f7:e1:c0:a2:cf:5c:62:22:81:f2:8c:ca:1f:
                    e2:73:13:d7:dd:19:be:79:ab:5b:fe:fa:f8:7e:46:
                    b4:14:4a:08:b2:25:50:fa:e2:2f:67:b1:69:73:58:
                    51:9f:08:98:69:61:f1:4f:8f:95:3e:7c:bf:cf:79:
                    94:04:9e:d5:ff:ad:cd:6a:b1:66:7a:49:43:1c:67:
                    f0:d0:34:9d:ba:6c:b9:d4:a1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                AD:A6:21:7F:E8:4A:10:56:1B:4E:7E:13:33:FE:7A:FE:23:30:B1:3F
            X509v3 Authority Key Identifier: 
                keyid:AD:A6:21:7F:E8:4A:10:56:1B:4E:7E:13:33:FE:7A:FE:23:30:B1:3F
                DirName:/C=AU/ST=Some-State/O=RSA1/CN=RSA1
                serial:E9:FD:3B:43:46:E2:A6:48

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        82:8c:61:fe:97:bb:5f:fd:85:33:de:63:5b:2f:19:14:27:46:
        e5:06:a6:23:f4:fd:7a:bc:b3:be:ca:2a:e3:b3:e9:56:76:48:
        ef:0c:d8:ac:24:77:5a:37:35:b3:ab:28:21:a6:93:1c:cb:e3:
        99:90:0f:0c:04:36:a2:4a:8a:d8:12:0f:12:9d:d5:25:0f:06:
        0c:c9:b0:9d:50:19:89:fc:f8:38:69:d5:4a:58:3c:74:34:11:
        8e:c5:23:8a:19:5b:e6:ed:65:36:4e:f0:38:91:4f:5c:25:e0:
        13:48:87:d4:32:6c:29:4f:b7:d9:d6:5a:ef:e3:f0:9d:aa:7c:
        73:c8
-----BEGIN CERTIFICATE-----
MIICoTCCAgqgAwIBAgIJAOn9O0NG4qZIMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ0wCwYDVQQKEwRSU0ExMQ0wCwYD
VQQDEwRSU0ExMB4XDTE0MDQxMDA4MjUzMVoXDTE3MDQwOTA4MjUzMVowQDELMAkG
A1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxDTALBgNVBAoTBFJTQTExDTAL
BgNVBAMTBFJTQTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO5/bY4BWCNo
gIXcpeAMOa4WIISvZ+5f9/fyV+Oxo+/V8S6fRtfAno+9lFbSdCr34cCiz1xiIoHy
jMof4nMT190ZvnmrW/76+H5GtBRKCLIlUPriL2exaXNYUZ8ImGlh8U+PlT58v895
lASe1f+tzWqxZnpJQxxn8NA0nbpsudShAgMBAAGjgaIwgZ8wHQYDVR0OBBYEFK2m
IX/oShBWG05+EzP+ev4jMLE/MHAGA1UdIwRpMGeAFK2mIX/oShBWG05+EzP+ev4j
MLE/oUSkQjBAMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTENMAsG
A1UEChMEUlNBMTENMAsGA1UEAxMEUlNBMYIJAOn9O0NG4qZIMAwGA1UdEwQFMAMB
Af8wDQYJKoZIhvcNAQEFBQADgYEAgoxh/pe7X/2FM95jWy8ZFCdG5QamI/T9eryz
vsoq47PpVnZI7wzYrCR3Wjc1s6soIaaTHMvjmZAPDAQ2okqK2BIPEp3VJQ8GDMmw
nVAZifz4OGnVSlg8dDQRjsUjihlb5u1lNk7wOJFPXCXgE0iH1DJsKU+32dZa7+Pw
nap8c8g=
-----END CERTIFICATE-----

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e9:fd:3b:43:46:e2:a6:49
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=Some-State, O=RSA1, CN=RSA1
        Validity
            Not Before: Apr 10 08:27:36 2014 GMT
            Not After : Apr 10 08:27:36 2015 GMT
        Subject: C=AU, ST=Some-State, O=g=1, CN=localhost
        Subject Public Key Info:
            Public Key Algorithm: dsaEncryption
            DSA Public Key:
                pub:  1 (0x1)
                P:   
                    00:fe:35:fb:2a:58:31:e4:75:5c:5a:5a:a8:1f:ca:
                    32:a3:d6:8e:fd:7a:87:84:ea:18:56:cf:13:94:3f:
                    a5:09:28:d0:e4:f3:0a:99:d6:24:c9:06:31:17:88:
                    b4:a4:57:bc:03:b1:74:aa:e5:05:63:e2:d6:39:12:
                    44:42:ab:c1:c9:d4:57:a9:68:f1:45:20:a2:12:f5:
                    b6:c8:04:f7:bb:87:34:2a:f2:91:dd:8c:6d:d4:b5:
                    fb:86:db:1a:68:56:f7:06:60:cd:92:b8:50:83:1c:
                    23:e7:c2:a9:4e:ae:5f:ef:3d:10:1d:4c:ac:c9:01:
                    4c:ae:f2:b8:a7:01:0e:3e:97
                Q:   
                    00:ef:c5:6e:6a:6d:b3:c0:2b:c9:df:2c:28:bb:56:
                    1f:f3:d4:b3:42:0b
                G:    1 (0x1)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                A2:4E:6C:DC:DC:67:C3:17:F9:CE:56:7A:0B:F3:D7:04:00:66:AF:48
            X509v3 Authority Key Identifier: 
                keyid:AD:A6:21:7F:E8:4A:10:56:1B:4E:7E:13:33:FE:7A:FE:23:30:B1:3F

    Signature Algorithm: sha1WithRSAEncryption
        97:7a:7c:90:5d:9c:43:d3:dd:be:30:c5:11:e3:3e:83:b3:a5:
        02:97:3d:1d:94:c5:49:79:d3:d8:77:c8:8e:2f:44:5a:d9:aa:
        6b:a7:90:0a:5f:1c:24:5e:36:9d:09:1a:50:90:9e:f0:d4:54:
        1f:f8:86:4f:92:32:8d:15:5d:40:b9:2b:ab:b8:81:3f:79:fa:
        02:02:9e:d1:c5:ec:6b:90:d2:ba:e4:09:32:68:fc:fc:a9:9f:
        fd:a8:3e:95:dc:fa:ea:1f:26:94:58:d9:5a:13:3c:a3:74:ee:
        2c:b9:f1:b5:b5:34:48:47:e2:a1:57:dc:96:e9:5c:cd:1e:ec:
        30:83
-----BEGIN CERTIFICATE-----
MIICkTCCAfqgAwIBAgIJAOn9O0NG4qZJMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ0wCwYDVQQKEwRSU0ExMQ0wCwYD
VQQDEwRSU0ExMB4XDTE0MDQxMDA4MjczNloXDTE1MDQxMDA4MjczNlowRDELMAkG
A1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxDDAKBgNVBAoTA2c9MTESMBAG
A1UEAxMJbG9jYWxob3N0MIGzMIGqBgcqhkjOOAQBMIGeAoGBAP41+ypYMeR1XFpa
qB/KMqPWjv16h4TqGFbPE5Q/pQko0OTzCpnWJMkGMReItKRXvAOxdKrlBWPi1jkS
REKrwcnUV6lo8UUgohL1tsgE97uHNCrykd2MbdS1+4bbGmhW9wZgzZK4UIMcI+fC
qU6uX+89EB1MrMkBTK7yuKcBDj6XAhUA78Vuam2zwCvJ3ywou1Yf89SzQgsCAQED
BAACAQGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2Vu
ZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSiTmzc3GfDF/nOVnoL89cEAGav
SDAfBgNVHSMEGDAWgBStpiF/6EoQVhtOfhMz/nr+IzCxPzANBgkqhkiG9w0BAQUF
AAOBgQCXenyQXZxD092+MMUR4z6Ds6UClz0dlMVJedPYd8iOL0Ra2aprp5AKXxwk
XjadCRpQkJ7w1FQf+IZPkjKNFV1AuSuruIE/efoCAp7RxexrkNK65AkyaPz8qZ/9
qD6V3PrqHyaUWNlaEzyjdO4sufG1tTRIR+KhV9yW6VzNHuwwgw==
-----END CERTIFICATE-----

[ CONTENT OF TYPE application/pgp-keys SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ