Knowledgebase: SSL Technical FAQs
Am I or is Comodo affected by the OpenSSL vulnerability in Debian reported May 13, 2008?

Intended Audience: Web hosts, web server administrators, technical personnel responsible for generating CSRs and installing SSL certificates on web servers.

On May 13th, 2008 the Debian project announced that Luciano Bello found an interesting vulnerability in the OpenSSL package they were distributing. Details can be found here:

http://www.debian.org/security/2008/dsa-1571

Please note that this vulnerability does not affect ComodoCA or our PKI infrastructure in any way. The vulnerability affects the way PRIVATE keys are generated, a process which occurs on your systems.

If your CSR was

# Generated since 2006-09-17
# Generated with Etch, Lenny or Sid (Sarge is not vulnerable)
# Generated using 'openssl', 'ssh-keygen', or 'openvpn --keygen' (GnuPG and GNUTLS are not affected)

you must

# Generate a new CSR and key pair
# Log in to your Comodo account, click SSL Certificate(s), and use the option to 'Replace' your certificate (a window will open for you to cpoy and paste your new CSR
# Download and install your new certificate.
# Revoke you replaced certificate.

A complete list of Debian based distributions can be found here:

http://en.wikipedia.org/wiki/List_of_Linux_distributions#Debian-based

To see what version of a Debian based distribution you are running, you can use one of the following commands:

$ lsb_release -d -s -c

or

$ cat /etc/lsb-release

To see what version of openssl is installed, use the command

$ openssl version -v -d -p

A detector for known weak key material has been published here:

http://security.debian.org/project/extra/dowkd/dowkd.pl.gz

There is a wiki with detailed information on upgrading software here:

http://wiki.debian.org/SSLkeys

Please Note: ComodoCA is not affiliated in any direct way with the Debian Project.

(1922 vote(s))
Helpful
Not helpful
Comments (0)