While issuing an SSL123 certificate from Thawte using openssl on my VM
(PROXMOX version 1.6), I reiceved the following alert
SSL123
Our system has detected that your CSR has a weak public key. Before creating a new CSR and resubmitting your request, you must update the operating system on the server where the key was generated. For more information, please read the advisory at Customer support.
looks like that debian use still an old 512-bits key lengths certificate..
Everyone has ever applied the suggested patch?
--------------------------------------------------------
this is the support advisory:
Effective Date
05/15/2008
Advisory
NOTE: In early December 2008, emails were sent to all thawte customers whose certificates are affected by the Debian/OpenSSL vulnerability. It was discovered that additional recipients of that email do not have certificates generated from, on, or by a Debian-derived OS; however, those recipients do have certificates with key lengths of 512-bits, which thawte regards as weaker than industry-standard. Even though the 512-bit keyed certificates will not be on a revocation program, thawte strongly recommends that those 512-bit keyed certificates are replaced with stronger key pairs. Read more at https://www.thawte.com/ssl-digital-certificates/technical-support/advisory_1024bit.html
On May 13, 2008, the Debian project announced that an update to Debian's OpenSSL package in 2006 contains a vulnerability that can weaken the system's Random Number Generator, making SSH and SSL encryption and authentication predictable. The vulnerability is specific to Debian and does not affect other non-Debian operating systems. However a non-Debian system can be affected if they are using cryptographic keys from an affected Debian system.
Debian has made a patch available, however the patch is only capable of preventing the vulnerability going forward and does not remove a previous occurrence. Therefore for those Debian systems starting with version 0.9.ec-1, it is highly recommended to recreate from scratch any cryptographic key material that has been generated with OpenSSL. For additional information on the vulnerability and information regarding the patch, please see the following Debian security advisory DSA-1571-1.
To correct this issue, follow these steps:
Download and install the Debian patch provided in the Debian security advisory DSA-1571-1
Replace all affected SSL certificates. In accordance with this advisory, thawte is providing Revocation and Replacement of SSL certificates at no charge for those thawte customer's affected by this vulnerability.
IMPORTANT: When generating the new Certificate Signing Request (key pair), it is important to ensure the certificate information (Distingushed Name) is identical to the information on the existing certificate.
Please perform the steps in the link to reissue your certificate: SO9094
If you are unsure if you are affected, Debian has made available a weak key detector published here.
http://lists.debian.org/debian-security-announce/2008/msg00152.html
As additional information becomes available, thawte will update this advisory accordingly
(PROXMOX version 1.6), I reiceved the following alert
SSL123
Our system has detected that your CSR has a weak public key. Before creating a new CSR and resubmitting your request, you must update the operating system on the server where the key was generated. For more information, please read the advisory at Customer support.
looks like that debian use still an old 512-bits key lengths certificate..
Everyone has ever applied the suggested patch?
--------------------------------------------------------
this is the support advisory:
Effective Date
05/15/2008
Advisory
NOTE: In early December 2008, emails were sent to all thawte customers whose certificates are affected by the Debian/OpenSSL vulnerability. It was discovered that additional recipients of that email do not have certificates generated from, on, or by a Debian-derived OS; however, those recipients do have certificates with key lengths of 512-bits, which thawte regards as weaker than industry-standard. Even though the 512-bit keyed certificates will not be on a revocation program, thawte strongly recommends that those 512-bit keyed certificates are replaced with stronger key pairs. Read more at https://www.thawte.com/ssl-digital-certificates/technical-support/advisory_1024bit.html
On May 13, 2008, the Debian project announced that an update to Debian's OpenSSL package in 2006 contains a vulnerability that can weaken the system's Random Number Generator, making SSH and SSL encryption and authentication predictable. The vulnerability is specific to Debian and does not affect other non-Debian operating systems. However a non-Debian system can be affected if they are using cryptographic keys from an affected Debian system.
Debian has made a patch available, however the patch is only capable of preventing the vulnerability going forward and does not remove a previous occurrence. Therefore for those Debian systems starting with version 0.9.ec-1, it is highly recommended to recreate from scratch any cryptographic key material that has been generated with OpenSSL. For additional information on the vulnerability and information regarding the patch, please see the following Debian security advisory DSA-1571-1.
To correct this issue, follow these steps:
Download and install the Debian patch provided in the Debian security advisory DSA-1571-1
Replace all affected SSL certificates. In accordance with this advisory, thawte is providing Revocation and Replacement of SSL certificates at no charge for those thawte customer's affected by this vulnerability.
IMPORTANT: When generating the new Certificate Signing Request (key pair), it is important to ensure the certificate information (Distingushed Name) is identical to the information on the existing certificate.
Please perform the steps in the link to reissue your certificate: SO9094
If you are unsure if you are affected, Debian has made available a weak key detector published here.
http://lists.debian.org/debian-security-announce/2008/msg00152.html
As additional information becomes available, thawte will update this advisory accordingly
