Comment 1 for bug 19835

Hi folks,

can you please comment on this bug report I got via the Debian
bug-tracking system. This is the first time, that I heard someone saying
that the theoretical weekness of md5 is a real security hole.

Christoph
--
============================================================================
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail: <email address hidden>
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

Package: openssl
Version: 0.9.7e-3
Severity: grave
Tags: security
Justification: user security hole

openssl.cnf defaults to usage of MD5 as digest algorithm for generation
of certificates and CAs. MD5 must be considered broken beyond hope,
we're not just talking about theoretical attacks, but attacks feasible
for everybody. X.509 keys with colliding checksums (and thus false
certificates) have been shown. See:

http://www.cits.rub.de/MD5Collisions/

for another example.

Unfortunately, there seem to be problems with RIPEMD160 in practice
(e.g. the Debian Thunderbird package doesn't understand RIPEMD160). So
the only reasonable choice at the moment is SHA-1, even though SHA-1 has
been theoretically weakend already, and RIPEMD160 would be preferable.
I suggest adding

default_md: sha-1

in the req and ca sections of openssl.cnf, and talking the upstream
maintainers into supporting SHA-384 or SHA-512.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages openssl depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libssl0.9.7 0.9.7e-3 SSL shared libraries

-- no debconf information