openssl-vulnkey - Online in the Cloud

Run openssl-vulnkey in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command openssl-vulnkey that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

Run in Ubuntu Run in Fedora Run in Windows Sim Run in MACOS Sim

PROGRAM:

NAME

openssl-vulnkey — check blacklist of compromised certificates, requests and keys

SYNOPSIS

openssl-vulnkey [-q] file ...
openssl-vulnkey [-q] -b BITS -m MODULUS

DESCRIPTION

openssl-vulnkey checks a certificate, request or key against a blacklist of compromised
moduli.

A substantial number of certificates, requests and keys are known to have been generated
using a broken version of OpenSSL distributed by Debian which failed to seed its random
number generator correctly. x509 certificates, certificate requests and RSA keys generated
using these OpenSSL versions should be assumed to be compromised. This tool may be useful
in checking for such OpenSSL x509 certificates, certificate requests and RSA keys.

Certificates, requests and keys that are compromised cannot be repaired; replacements must
be generated using openssl(8).

If “-” is given as an argument, openssl-vulnkey will read from standard input. This can be
used to process certificate output from s_client(1ssl), for example:

$ echo | openssl s_client -connect remote.example.org:https | openssl-vulnkey -

will test the certificate used by remote.example.org for HTTPS.

The options are as follows:

-q Quiet mode. Normally, openssl-vulnkey outputs the fingerprint of each file scanned,
with a description of its status. This option suppresses that output.

-b Number of bits for the modulus specified. Requires -m.

-m Check modulus. Requires -b.

BLACKLIST SHA1SUM FORMAT

The blacklist file may start with comments, on lines starting with “#”. After these initial
comments, it must follow a strict format:

· Each line must consist of the lower-case hexadecimal SHA1 fingerprint of the
certificate or key's modulus, and with the first 20 characters removed (that is,
the least significant 80 bits of the fingerprint).

The fingerprint of the modulus may be generated using

$ openssl x509 -noout -modulus -in file | sha1sum | cut -d ' ' -f 1
$ openssl rsa -noout -modulus -in file | sha1sum | cut -d ' ' -f 1
$ openssl req -noout -modulus -in file | sha1sum | cut -d ' ' -f 1

This strict format is necessary to allow the blacklist file to be checked quickly.

Use openssl-vulnkey online using onworks.net services