Natalino

Picone

Tech machine


Zak B. Elep: OpenSSL Ouch

Maggio 13, 2008Nat0 Comments

I won’t repeat it here, but there’s DSA-1571-1 waiting for you attention,
especially if you made some material out of openssl over the last couple of
years or so. Yes, you read it right: COUPLE.

Upgrading to the new OpenSSL is easy. Generating new keys is another story.

To save (or add to, depending on how you handle this) your pain, there is a
simple checker that can currently see if your OpenSSH or OpenVPN public
keys are weak enough to warrant replacement. I await a version that can handle
X.509 certificates too (though I only just generated a new one today, before
the announcement, so that means I have to do it again (and get its CSR to
CACert for signing, etc.)

And yeah, if you’re running openssh-server, consider regenerating your
host RSA and DSA keys, e.g.:

# mv /etc/ssh/ssh_host_{dsa,rsa}_key* /some/place/else
# dpkg-reconfigure -plow openssh-server

That should regenerate your keys and restart openssh-server once the new keys
are installed to /etc/ssh.

The hard part (of making sure all the keys of your systems are updated and
tested) is still up to you, however.