.\" Copyright (c) 2008 Canonical Ltd.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: May 12 2008 $
.Dt OPENVPN-VULNKEY 1
.Os
.Sh NAME
.Nm openvpn-vulnkey
.Nd check blacklist of compromised keys
.Sh SYNOPSIS
.Nm
.Op Fl q
.Ar file ...
.Sh DESCRIPTION
.Nm
checks a key against a blacklist of compromised keys.
.Pp
A substantial number of keys are known to have been generated using a broken
version of OpenSSL distributed by Debian which failed to seed its random
number generator correctly.
Keys generated using these OpenSSL versions should be assumed to be
compromised.
This tool may be useful in checking for such OpenVPN shared static keys. See
.Xr openssl-vulnkey 1
for details on checking SSL/TLS certificates.
.Pp
Keys that are compromised cannot be repaired; replacements must be generated
using 
.Xr openvpn 8 .
Shared keys can be regenerated with:
.Pp
.Dl $ openvpn --genkey --secret file
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl q
Quiet mode.
.Xr openvpn-vulnkey 1 .
Normally,
.Nm
outputs the fingerprint of each key scanned, with a description of its
status.
This option suppresses that output.
.El
.Sh BLACKLIST MD5SUM FORMAT
The blacklist file may start with comments, on lines starting with
.Dq # .
After these initial comments, it must follow a strict format:
.Pp
.Bl -bullet -offset indent -compact
.It
Each line must consist of the lower-case hexadecimal MD5 key fingerprint,
and with the first 12 characters removed (that is, the least significant 80
bits of the fingerprint).
.El
.Pp
The key fingerprint may be generated using
.Pp
.Dl $ cat file.pem | sed '/^[^0-9a-f]/d' | md5sum | cut -d ' ' -f 1
.Pp
This strict format is necessary to allow the blacklist file to be checked
quickly.
.Sh SEE ALSO
.Xr openvpn 8
.Xr openssl-vulnkey 1
.Sh AUTHORS
.An -nosplit
.An Jamie Strandboge Aq jamie@ubuntu.com
.Pp
Much of this manpage is based on Colin Watson's
.Xr ssh-vulnkey 1