Alex Samad wrote:
On Thu, May 15, 2008 at 07:43:13PM -0400, Chris Adams wrote:
On May 15, 2008, at 6:25 PM, Alex Samad wrote:
is there away to check x509 certs with these tools ?
Yes - the wiki has one (http://wiki.debian.org/SSLkeys) but you might
prefer the openssl-blacklist package which Ubuntu prepared:
https://launchpad.net/ubuntu/+source/openssl-blacklist/
It runs out of the box on Debian and if you edit debian/control to
change the openssl dependency from the Ubuntu version
(0.9.8g-4ubuntu3.1) to the Debian version (0.9.8c-4etch3) you can dpkg-
buildpackage it and deploy it to multiple systems. I used it like this
to flush out Apache keys:
sudo find /etc/ -xdev -type f -name \*.key -exec openssl-vulnkey {} \;
I have done this and check some .key files, but they show up as not
blacklisted, when I know they have been created in the last 12 months. I
thought I read some where the keys are different depending on weather it
was generated on a 32b or 64b system.
You might want to update the blacklist with the 64b generated keys
Chris
From what I understand ssh-vulnkey only check to see if a key is listed in the
blacklist (already compromised). Is there any way to empirically test whether
a key is vulnerable or not?
--Jim