OCaml Forge

Forum: ocamlcore.org-ssh-ssl-key-update-and-gforge-upgrade

Posted by: Sylvain Le Gall
Date: 2008-05-15 13:49
Summary:OCamlCore.org SSH/SSL key update and GForge upgrade
Project:Site Admin

-- SSH/SSL issue --

On 2008/05/14, a grave bug in Debian OpenSSL package has been discovered. This implies that every SSH key and SSL certificate generated since 2006 are weak.

As of today, we have secured the certificate on ocamlcore.org site.

In particular, the new fingerprint are:

SSH DSA key fingerprint of forge.ocamlcore.org
39:70:8d:ed:09:db:79:46:f5:2e:5d:a9:6c:28:a1:73

SSH RSA key fingerprint of forge.ocamlcore.org
07:e8:ea:4f:ed:4f:62:a6:c5:66:78:5b:b3:bb:00:36

SHA1 SSL certificate fingerprint of forge.ocamlcore.org
13:37:45:AE:5A:F4:6F:5E:EA:37:BF:A3:DA:B3:D7:55:E8:BE:1E:B1

Every SSH key of user should be updated, if they are weak key. Use "ssh-keyvuln" in the latest openssh debian package, to check if your key is weak or not.

For now, the security setup of ocamlcore.org made brute force attack complicated (DenyHost will forbid too many authentication failures, which made brute force attack a little bit more complicated -- thouhg not impossible). So we will let people connect using their key until the end of the week.

After 2008/05/17, we will enable OpenSSH weak key blacklist, that will prevent any connection using a weak key. You should have updated your key before this date.


-- GForge upgrade --

On 2008/05/15, in the morning a security update of GForge has been installed automatically.

This update has broken some part of the ocamlcore.org configuration leading to bring down the HTTP server.

The site is now back online, but project should check that everything is correct on their side (e.g. that their CVS/SVN is not broken).

This Gforge update has lead to update the chroot that we have customized over the time.

We have checked everything against the last backup of the chroot, but it is better to double check. In particular, the chroot contains CVS/SVN file.

We are sorry for the delay, which are mainly due to getting a new SSL certificate from our certificate authority (which is actually under an heavy load due to the SSL security issue).

the OCamlCore.org Team.

The signed version of this document with Sylvain Le Gall GPG key:
https://forge.ocamlcore.org/docman/view.php/1/3/announce-upgrade.txt.asc

Latest News

Handling spam on the forge

Sylvain Le Gall - 2013-10-25 22:41 -

SSL up again, special thanks to Gabriel Kerneis

Sylvain Le Gall - 2013-10-01 22:03 -

forge distribution upgrade 2013/04/24 - 04/27

Sylvain Le Gall - 2013-04-23 15:58 -

Discussion Forums: ocamlcore.org-ssh-ssl-key-update-and-gforge-upgrade

Monitor Forum | Start New Thread Start New Thread
Topic Topic Starter Replies Last Post
  Can't Connect to SVN
Robert Fischer
02008-05-20 19:33