| Dear Lazyweb: how do I check SSL keys for vulnerability? |
Based on conversations on the Freenode channel #linux.conf.au, I modified my survey of mail servers to attempt a STARTTLS command, and collect SSL key fingerprints from the mail servers which have a valid response. I now have a collection of SSL keys "from the wild". Interestingly, the distribution is decidedly non-random, with 5c4b1e60f69c168d40ad648017f8856a7d3816c7 appearing more than 7,000 times in my dataset.
I've had a quick look at the openssl-blacklist package on Ubuntu, and its not immediately obvious how I can efficiently feed a large list of SSL key fingerprints to openssl-vulnkey to determine which ones are vulnerable. It occurs to me that someone must have already thought about this. Does that person want to save me some time?
Tags for this post: research(
)
posted at: 21:03 | path: /research | permanent link to this entry
Comment on this post.