[Pkg-openssl-devel] Bug#471958: openssl: Generated private keys world-readable by default
Florian Weimer
fw at deneb.enyo.de
Fri Mar 21 13:23:38 UTC 2008
* Lionel Elie Mamane:
> On Fri, Mar 21, 2008 at 01:20:01PM +0100, Florian Weimer wrote:
>
>>> master at capsaicin:~ 148 $ openssl genrsa -out foo 512
>>> -rw-r--r-- 1 master master 493 mar 21 11:51 foo
>
>>> The generated key should really not be world-readable by default.
>
>> You could simply use a more restrictive umask.
>
> Yes, but that command is used by several application-specific scripts;
> I find it safer to have openssl do the secure thing by default rather
> than go and fix all scripts that call it to set a correct umask.
This would mean that these scripts break when used with older OpenSSL
versions, or versions that haven't been patched (assuming that upstream
doesn't pick up the change). Therefore, I don't think this is a good
idea to patch Debian unilaterally.
More information about the Pkg-openssl-devel
mailing list