Package: openssl Version: 0.9.7e-3 Severity: grave Tags: security Justification: user security hole
openssl.cnf defaults to usage of MD5 as digest algorithm for generation of certificates and CAs. MD5 must be considered broken beyond hope, we're not just talking about theoretical attacks, but attacks feasible for everybody. X.509 keys with colliding checksums (and thus false certificates) have been shown. See: http://www.cits.rub.de/MD5Collisions/ for another example. Unfortunately, there seem to be problems with RIPEMD160 in practice (e.g. the Debian Thunderbird package doesn't understand RIPEMD160). So the only reasonable choice at the moment is SHA-1, even though SHA-1 has been theoretically weakend already, and RIPEMD160 would be preferable. I suggest adding default_md: sha-1 in the req and ca sections of openssl.cnf, and talking the upstream maintainers into supporting SHA-384 or SHA-512. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-2-686 Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Versions of packages openssl depends on: ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libssl0.9.7 0.9.7e-3 SSL shared libraries -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
