From owner-freebsd-security@freebsd.org  Sun Sep  6 18:52:38 2015
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 10C329CB9C7
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Sun,  6 Sep 2015 18:52:38 +0000 (UTC)
 (envelope-from pch-bBB316E3E@u-1.phicoh.com)
Received: from stereo.hq.phicoh.net (stereo6.hq.phicoh.net
 [IPv6:2001:888:1044:10:2a0:c9ff:fe9f:17a9])
 by mx1.freebsd.org (Postfix) with ESMTP id 8E5EC871
 for <freebsd-security@freebsd.org>; Sun,  6 Sep 2015 18:52:36 +0000 (UTC)
 (envelope-from pch-bBB316E3E@u-1.phicoh.com)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by
 stereo.hq.phicoh.net with esmtp
 (Smail #91) id m1ZYf3K-0000HdC; Sun, 6 Sep 2015 20:52:34 +0200
Message-Id: <m1ZYf3K-0000HdC@stereo.hq.phicoh.net>
To: freebsd-security@freebsd.org
Subject: ssh sshfp improvement
From: Philip Homburg <pch-fbsd@u-1.phicoh.com>
Sender: pch-bBB316E3E@u-1.phicoh.com
Date: Sun, 06 Sep 2015 20:52:29 +0200
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Sep 2015 18:52:38 -0000

Hi,

I'm not sure if this is the right list for this. If it isn't, then please
redirect me to the right one.

I found three issues with how openssh handles SSHFP records:
- If DNSSEC verification fails it displays a (to me) confusing error
  message 'Matching host key fingerprint found in DNS.'
- It trusts resolvers doing DNSSEC validation instead of always doing
  local validation
- It fails to do local validation due to lack of trust anchor.

In any case, ldns, which is used for this feature, is not the right tool
for the job.

So I wrote a patch to use getdns instead. I submitted to patch to the openssh
maintainers, but they don't seem to care.

As far as I know, FreeBSD is the only system that enables SSHFP validation by
default so it makes sense to submit it here as well.

I put my code up on github.
https://github.com/phicoh/openssh-getdns
branch getdns.

Philip

From owner-freebsd-security@freebsd.org  Fri Sep 11 18:12:04 2015
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A99D1A01F01
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Fri, 11 Sep 2015 18:12:04 +0000 (UTC) (envelope-from marck@rinet.ru)
Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 3108C13B5
 for <freebsd-security@FreeBSD.org>; Fri, 11 Sep 2015 18:12:00 +0000 (UTC)
 (envelope-from marck@rinet.ru)
Received: from localhost (localhost [127.0.0.1])
 by woozle.rinet.ru (8.14.5/8.14.5) with ESMTP id t8BI9QvT047046
 for <freebsd-security@FreeBSD.org>; Fri, 11 Sep 2015 21:09:28 +0300 (MSK)
 (envelope-from marck@rinet.ru)
Date: Fri, 11 Sep 2015 21:09:26 +0300 (MSK)
From: Dmitry Morozovsky <marck@rinet.ru>
To: freebsd-security@FreeBSD.org
Subject: SmartCards/Tokens recommended for TLS CA under FreeBSD
Message-ID: <alpine.BSF.2.00.1509112106190.43621@woozle.rinet.ru>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
X-NCC-RegID: ru.rinet
X-OpenPGP-Key-ID: 6B691B03
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3
 (woozle.rinet.ru [0.0.0.0]); Fri, 11 Sep 2015 21:09:28 +0300 (MSK)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2015 18:12:04 -0000

Dear colleagues,

what vendors/models could you recomment to implement enterprize 2-level CA?

We used Aladdin Pro (non-Java), but they are long gone, and I could not 
reimplement sign tree with sha256 after a dozen of experiments.

sha1 and 2k keys is a must, sha256 is almost a must, and 4k/ellyplic 
would be feasible.

Thanks in advance.

-- 
Sincerely,
D.Marck                                     [DM5020, MCK-RIPE, DM3-RIPN]
[ FreeBSD committer:                                 marck@FreeBSD.org ]
------------------------------------------------------------------------
*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru ***
------------------------------------------------------------------------