Re: [Bacula-users] debian/ssl
2008-05-16 01:07:38
hi florian
Florian Heigl schrieb:
> Hi,
>
> as most are probably aware debian had a little "Oops" concerning
> openssl
> (http://wiki.debian.org/SSLkeys#head-49a0007d742a0fcc4742d630456fecc08016fbb8).
> unfortunately there is no mention of Bacula in their wiki so far.
another thing is, that the debian package doesn't ship anymore with
openssl support because of licesing issues.
>
> Does anyone know if
> - one should bother redoing the Bacula SD/DIR/FD/Console pass strings?
> (they're done using openssl, and so far i thought they look quite
> random
> - someone already made scripts for regenerating the SSL/TLS keys for
> people that use this for bacula
> - people who used SD encryption might want to migrate / re-encrypt as
> this might (i dont know!) be more susceptible for the weakness
>
> Reading the "backupbox" sections advice
> "start from scratch, destroying all trace of the backed up data, and
> take other measures to mitigate the exposure of your secrets" I feel
> there might be reason to worry.
as far as i read about this security update on debian, there is only a
"small" amount of different keys or this guy sais key is dependent of
the process id
(http://chdir.org/~nico//blog/posts/Pire_que_je_croyais.../). With a
workstation you will be able to compute all the possible keys.
so yes, regenerate all your keys and somehow reencrypt the data if
you're in need of the encryption security.
- Thomas
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|
|
|