MDLog:/sysadmin

The Journal Of A Linux Sysadmin

• Home
• Most Popular
• Contact
• About
• Forum

openssl-vulnkey *.key

Hopefully by now most debian sysadmins have updated their systems and regenerated any weak openssl keys found. After the disclosure from last week, the debian team has done a great job to identify any possible affected program and any type of key, and for sure there are many .
Special pages were created to help peoples migrate their keys and also to identify if their keys are weak or not. In my previous post I have discussed howto indentify and regenerate the ssh vulnerable keys, obviously the most targeted by attacks against this issue. This post will answer the questions I have received on email on how you can identify and regenerate apache PEM keys (SSL certificates).

The Ubuntu team has created a package which will verify if PEM files are vulnerable or not. The package is called “openssl-blacklist“, and was repackaged for Debian and built for etch: http://xillion.org/openssl-blacklist/. Download the package and install it with dpkg:

wget http://xillion.org/openssl-blacklist/openssl-blacklist_0.1-0~debian-1_all.deb
dpkg -i openssl-blacklist_0.1-0~debian-1_all.deb

Now that you have installed openssl-blacklist you will be able to test your keys/pem using openssl-vulnkey:
openssl-vulnkey <FILE>

For example if you have all your keys (with the extension key) inside /etc/apache2/ssl you could run:
cd /etc/apache2/ssl
openssl-vulnkey *.key
or if you have also pem keys:
openssl-vulnkey *.key *.pem

If you have found weak keys you will probably want to regenerate them. Hopefully your certificate authority will offer you a free reissue for your certificate/s and this bug will not cost you even more than it has already done by now (most companies will do this for free, like Thawte, VeriSign, Digicert, GeoTrust, etc.). Check your certificate authority for specific details.

Normally for the certificate regeneration you will have to: create a new private key, create a new CSR (Certificate Signing Request) that you will send to your CA, that will reissue and send you back the new certificate:
openssl genrsa -out domainname.key 1024
openssl req -new -key domainname.key -out domainname.csr
cat domainname.csr -> and send this to your CA

Good luck, and hopefully this post has answered the question I got on emails, on how to identify and reissue apache ssl keys (sorry for the late replies, as it has been a crazy week).

Tags: debian-etch, openssl

Related Posts:

• ssh-vulnkey -a
• HowTo setup vacation using postfix on Debian Etch
• Debian GNU/Linux 4.0r5 fifth update
• bnx2 missing from stock Debian 2.6.24 etchnhalf kernel
• tshark replaces tethereal in Debian Etch

Posted in Debian, Ubuntu | by - Marius -
You can leave a response, or trackback from your own site.

2 Responses to “openssl-vulnkey *.key”

• 1
  Jeff Standen
  9th June 2008, 07:48

  I noticed ‘openssh-blacklist’ installed in Etch after my last ‘apt-get dist-upgrade’ too.
• 2
  Harka
  21st July 2008, 14:37

  I found, that 2048 bits is currently the maximum key size supported by RapidSSL (other CA’s may support higher key sizes).
  I’d suggest to use 2048 instead of 1024 bits from the article for better security.

Leave a Reply

Name (required) Mail (will not be published) (required) Website

Notify me of followup comments via e-mail

© 2006-2008 MDLog:/sysadmin | Powered by WordPress.