funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fake CA MD5 questions

From: "Jason Ross" <algorythm () gmail com>
Date: Tue, 30 Dec 2008 21:28:39 -0500
On Tue, Dec 30, 2008 at 19:29, Rob, grandpa of Ryan, Trevor, Devon &
Hannah <rMslade () shaw ca> wrote:

Date sent:              Tue, 30 Dec 2008 12:09:36 +0100
From:                   Jacob Appelbaum <jacob () appelbaum net>


http://events.ccc.de/2008/12/30/the-cat-is-out-of-the-bag/

MD5 considered harmful today: Creating a rogue CA certificate



First, you need 5 CAs that use MD5 hashes.  How many do that?  How many CAs
use *only* MD5s?


To partially answer the first question anyway, a very quick and likely
imprecise check
of my Debian default installation of openssl contains the following 24
CA certs as
using "md5WithRSAEncryption" for the Signature Algorithm:

/usr/lib/ssl/certs/spi-ca-2003.pem
/usr/lib/ssl/certs/GTE_CyberTrust_Root_CA.pem
/usr/lib/ssl/certs/root.pem
/usr/lib/ssl/certs/Thawte_Personal_Freemail_CA.pem
/usr/lib/ssl/certs/TC_TrustCenter__Germany__Class_2_CA.pem
/usr/lib/ssl/certs/Entrust.net_Global_Secure_Personal_CA.pem
/usr/lib/ssl/certs/StartCom_Ltd..pem
/usr/lib/ssl/certs/TC_TrustCenter__Germany__Class_3_CA.pem
/usr/lib/ssl/certs/class3.pem
/usr/lib/ssl/certs/NetLock_Notary_=Class_A=_Root.pem
/usr/lib/ssl/certs/Thawte_Personal_Basic_CA.pem
/usr/lib/ssl/certs/Thawte_Premium_Server_CA.pem
/usr/lib/ssl/certs/IPS_Servidores_root.pem
/usr/lib/ssl/certs/Entrust.net_Global_Secure_Server_CA.pem
/usr/lib/ssl/certs/Equifax_Secure_Global_eBusiness_CA.pem
/usr/lib/ssl/certs/NetLock_Express_=Class_C=_Root.pem
/usr/lib/ssl/certs/Thawte_Server_CA.pem
/usr/lib/ssl/certs/Equifax_Secure_eBusiness_CA_1.pem
/usr/lib/ssl/certs/GTE_CyberTrust_Global_Root.pem
/usr/lib/ssl/certs/Entrust.net_Secure_Personal_CA.pem
/usr/lib/ssl/certs/NetLock_Business_=Class_B=_Root.pem
/usr/lib/ssl/certs/Thawte_Time_Stamping_CA.pem
/usr/lib/ssl/certs/GlobalSign_Root_CA.pem
/usr/lib/ssl/certs/Thawte_Personal_Premium_CA.pem


(the "root.pem" and "class3.pem" both belong to cacert.org)


For the curious, and for transparency, I used the following
(admittedly quick and very dirty) method to obtain this list:

$ cat md5ca.sh
#!/bin/bash
CERTDIR=`openssl version -d |awk -F: '{print $2}' |sed 's/\s*"//g'`

for cert in \
`find -L $CERTDIR -name "*.pem" -or -name "*.cert" -or -name "*.crt" -type f` ;

do

   openssl x509 -noout -text -in $cert | \
   grep "Signature Algorithm" | \
   grep md5 >/dev/null 2>&1

   [ $? == 0 ] && echo $cert

done 2> /dev/null


--
Jason
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: