[Pkg-openssl-devel] Bug#918717: Bug#918717: openssl: wrong signature type on a specific website with openssl.cnf shipped in debian
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Tue Jan 8 18:30:01 GMT 2019
On 2019-01-08 17:40:04 [+0100], Jérémy Lal wrote:
> Package: openssl
> Version: 1.1.1a-1
> Severity: normal
>
> Hi,
>
> curl https://portal.gexpertise.fr/GexPortal
> returns an error,
>
> however (you need nodejs 10.15~dfsg-8 for this file to be available - the file in itself
> is there to be able to run upstream tests suites)
> OPENSSL_CONF=/usr/include/nodejs/openssl.cnf curl https://portal.gexpertise.fr/GexPortal
> does work
The server is vurnable to OpenSSL Padding Oracle vulnerability
(CVE-2016-2107) [0].
The problem is that the remote server is signing the certificate wit
SHA1 instead something stronger:
|No client certificate CA names sent
|Peer signing digest: SHA1
|Peer signature type: RSA
|Server Temp Key: ECDH, P-256, 256 bits
Kurt did we want to enable SHA1 for DEFAULT at SECLEVEL=2?
[0] https://www.ssllabs.com/ssltest/analyze.html?d=portal.gexpertise.fr
> Jérémy
Sebastian
More information about the Pkg-openssl-devel
mailing list