[prev in list] [next in list] [prev in thread] [next in thread]
List: openssh-bugs
Subject: [Bug 2040] Downgrade attack vulnerability when checking SSHFP records
From: bugzilla-daemon () mindrot ! org
Date: 2012-09-07 7:07:22
Message-ID: bug-2040-705-aLbV6SdjSa () https ! bugzilla ! mindrot ! org/
[Download RAW message or body]
https://bugzilla.mindrot.org/show_bug.cgi?id=2040
--- Comment #5 from Ondřej Caletka <ondrej@caletka.cz> ---
(In reply to comment #3)
> Wouldn't it be simpler and safer to verify that all fingerprints
> match? I.e verify that both SHA1 and SHA256 SSHFP records verify
> correctly. Right now we need only one success and ignore all the
> hash mismatches...
This would actually prevent doing a smooth host key rollover, where you
pre-publish SSHFP records for the new Host key, then change the host
key and delete old SSHFP records after that. As DNS updates are never
synchronous, you cannot change SSHFP records at the same moment as host
key.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic