OpenSSL Security in Debian & Ubuntu since 2006

Alan DeKok aland at deployingradius.com
Tue May 13 21:48:38 CEST 2008


A.L.M.Buxey at lboro.ac.uk wrote:
> thankyou Alan for your responsible reporting of this issue,
> as anyone using FreeRADIUS with EAP-TLS etc will be using OpenSSL
> anyone on any platform with a weak key method needs to know
> this issue.

  I've updated the main web page, too.

> I note that various OpenSSL-using tools are being updated to detect
> such weak keys - eg OpenVPN on ubuntu - and if they detect
> them, they wont start (reporting a direct error about
> such keys) - will FreeRADIUS also adopt this policy?

  Er... send a patch?

  A quick look at the documentation for "openssl-vulnkey" and friends
isn't helpful.  They check a key against a list of blacklisted keys...
and don't give much more information about blacklisting keys.

  i.e. it's up to you to generate the list of blacklisted keys.  The
tool can then be used to check the key.

  For RADIUS purposes, I don't see much use in this.  There's usually
only one server key, and maybe a self-signed cert key.  Once those are
re-generated and deployed, you're done.  There's not much need to check
blacklists for keys.

  The blacklist is more useful for client software like a supplicant.
And even there, it's likely easier just to replace the old RADIUS server
key with the new one.

  Alan DeKok.



More information about the Freeradius-Users mailing list