[Pkg-openssl-devel] Bug#471958: openssl: Generated private keys world-readable by default
Lionel Elie Mamane
lionel at mamane.lu
Fri Mar 21 13:13:29 UTC 2008
On Fri, Mar 21, 2008 at 01:20:01PM +0100, Florian Weimer wrote:
>> master at capsaicin:~ 148 $ openssl genrsa -out foo 512
>> -rw-r--r-- 1 master master 493 mar 21 11:51 foo
>> The generated key should really not be world-readable by default.
> You could simply use a more restrictive umask.
Yes, but that command is used by several application-specific scripts;
I find it safer to have openssl do the secure thing by default rather
than go and fix all scripts that call it to set a correct umask.
(The application-specific script that made me notice this is astgenkey
from asterisk.)
--
Lionel
More information about the Pkg-openssl-devel
mailing list