Processing control commands:
> severity -1 normal
Bug #742145 [openssl] openssl: uses only 32 bytes (256 bit) for key generation
Severity set to 'normal' from 'serious'
--
742145: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742145
Debian Bug Tracking System
Contact ow...@bugs.debian.org wit
Control: severity -1 normal
Joey Hess dixit:
>Also, /usr/sbin/make-ssl-cert uses openssl req, and strace shows it
>also reading only 32 bytes bits of entropy.
We talked a bit about it in IRC. I think this is no need to panic.
While I still think that 32 bytes is cutting off a safety margin
I’d p
* Thorsten Glaser:
>>Historically, the OpenSSL command line tools have been intended for
>>debugging only.
>
> I disagree,
It's what I was told by the OpenSSL developers.
> Also, what do other tools (that do not invoke openssl(1)
> unlike most of these I saw, which were shell wrappers
> around i
Thorsten Glaser wrote:
> Florian Weimer dixit:
> >Historically, the OpenSSL command line tools have been intended for
> >debugging only.
>
> I disagree, in the case of genrsa and friends anyway.
Me too, and openssl(1ssl) does not mention debugging or not for
production use or give any warnings. A
Florian Weimer dixit:
>> I’d expect OpenSSL to use more than *at best* 256 bits of
>> entropy for generating a key of 4096 bits length.
>
>Thorsten, I think you could report this as a public bug.
Okay.
>Historically, the OpenSSL command line tools have been intended for
>debugging only.
I disag
Package: openssl
Version: 1.0.1f-1
Severity: serious
Tags: security
Justification: security issue
strace openssl genrsa 4096
Looking at the output:
open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 3
fstat(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
poll([{fd=3, events=POLLIN}]
6 matches
Mail list logo
