Content-type: text/html Man page of OPENSSL-VULNKEY

OPENSSL-VULNKEY

Section: User Commands (1)
Index Return to Main Contents

BSD mandoc
 

NAME

openssl-vulnkey - check blacklist of compromised certificates, requests and keys  

SYNOPSIS

[-q ] file ...
[-q ] -b BITS -m MODULUS  

DESCRIPTION

checks a certificate, request or key against a blacklist of compromised moduli.

A substantial number of certificates, requests and keys are known to have been generated using a broken version of OpenSSL distributed by Debian which failed to seed its random number generator correctly. x509 certificates, certificate requests and RSA keys generated using these OpenSSL versions should be assumed to be compromised. This tool may be useful in checking for such OpenSSL x509 certificates, certificate requests and RSA keys.

Certificates, requests and keys that are compromised cannot be repaired; replacements must be generated using openssl(8).

If ``-'' is given as an argument, will read from standard input. This can be used to process certificate output from s_client1ssl, for example:

$ echo | openssl s_client -connect remote.example.org:https | openssl-vulnkey

will test the certificate used by remote.example.org for HTTPS.

The options are as follows:

-q
Quiet mode. Normally, outputs the fingerprint of each file scanned, with a description of its status. This option suppresses that output.
-b
Number of bits for the modulus specified. Requires -m.
-m
Check modulus. Requires -b.

 

BLACKLIST SHA1SUM FORMAT

The blacklist file may start with comments, on lines starting with ``#'' After these initial comments, it must follow a strict format:

The fingerprint of the modulus may be generated using

$ openssl x509 -noout -modulus -in file | sha1sum | cut -d ' ' -f 1
$ openssl rsa -noout -modulus -in file | sha1sum | cut -d ' ' -f 1
$ openssl req -noout -modulus -in file | sha1sum | cut -d ' ' -f 1

This strict format is necessary to allow the blacklist file to be checked quickly.  

SEE ALSO

openssl(1)  

AUTHORS

An -nosplit An Jamie Strandboge Aq [email protected]

Much of this manpage is based on Colin Watson's ssh-vulnkey1


 

Index

NAME
SYNOPSIS
DESCRIPTION
BLACKLIST SHA1SUM FORMAT
SEE ALSO
AUTHORS

This document was created by man2html, using the manual pages.
Time: 03:41:11 GMT, September 24, 2010