Dear Lazyweb: how do I check SSL keys for vulnerability?

    Based on conversations on the Freenode channel #linux.conf.au, I modified my survey of mail servers to attempt a STARTTLS command, and collect SSL key fingerprints from the mail servers which have a valid response. I now have a collection of SSL keys "from the wild". Interestingly, the distribution is decidedly non-random, with 5c4b1e60f69c168d40ad648017f8856a7d3816c7 appearing more than 7,000 times in my dataset.

    I've had a quick look at the openssl-blacklist package on Ubuntu, and its not immediately obvious how I can efficiently feed a large list of SSL key fingerprints to openssl-vulnkey to determine which ones are vulnerable. It occurs to me that someone must have already thought about this. Does that person want to save me some time?

posted at: 21:03 | path: /research | permanent link to this entry
    #2 craig


    dunno if it's in ubuntu or not (probably is), but the debian openssl-blacklist package has an 'openssl-vulnkey' program (a python script) which checks ssl keys against the blacklist.

    this does the same job as the ssh-vulnkey in the openssh-client package, but for any ssl key, not just ssh.


    something like the following (unoptimised, awkward but function) command line will check all keys know to apache:

    grep -sh SSLCertificateFile /etc/apache2/*/* | sed -e 's/#.*//' | pcregrep -v '^\s*$'| awk '{print $2}' | sort -u | print0 | xargs -0r -n 1 openssl-vulnkey


    (actually, i'm not 100% sure if that's the latest or most functional variation of that command line or not...it was just the first one i found in the .bash_history files of my various servers from when i needed it a week or so ago. it, or something based on it, will do the job :)

    #3 mikal

    To clarify, I have a list of SSL key fingerprints in the form: 


    
   1454 'f0cbb4189d02cef48746c9711b3906dfd49dfd87'

    
   1577 '6a471fae793db9d6624a46a99fcd4d010a3509c3'

    
   2061 'b8690185512f24733cd4f49c9e895ed5e6161a4e'

    
   2091 'cb5f4979e36458d6be302d8e9c4820b52a8b2ff0'

    
   2394 '2a37c5a1fad1f53f4e7b4ee840069d9e3e0c3677'

    
   2577 'e55568210742b5b7c4468946dea7616532c4088f'

    
   7068 '5c4b1e60f69c168d40ad648017f8856a7d3816c7'


    I now need to know how to mangle that into something that one of the vulnerability checkers knows how to handle.
    Add a comment to this post:

    Your name:

    Your email: Email me new comments on this post
      (Your email will not be published on this site, and will only be used to contact you directly with a reply to your comment if needed. Oh, and we'll use it to send you new comments on this post it you selected that checkbox.)


    Your website:

    Comments: