Oh, Bother!

[akicif]

There's a bug in the version of openssl on Ubuntu 8.04 that means it gives false positives when verifying some certificates. This could have been oh so Not Good at All, except it got caught in plenty of time - and in future I get to ssh into a known safe box when checking certificates.

And what fun, it turns out the bug goes back at least some way towards Ubuntu's ancestral Debian distro.

I'm just surprised no-one noticed it before.

Comments

[ciphergoth.livejournal.com]

Do you mean this vulnerability?

http://www.debian.org/security/2008/dsa-1571

If so the problem is not false positives but weak keys. If not, please do provide a link - cheers!

[akicif.livejournal.com]

Nope. Not that one - although it was fun, too. This one manifested itself when I was checking a certificate against our official authorities.pem - we have a list of approved certificates and a Thawte SSL123 certificate showed up as OK when it shouldn't have. I suspect one of my colleagues will be logging the details somewhere, but I know not where as yet.

[rhialto.livejournal.com]

I'd also be interested in details, when you can provide them.