NAME¶
openvpn-vulnkey
—
check blacklist of compromised keys
SYNOPSIS¶
openvpn-vulnkey |
[ -q ]
file ... |
DESCRIPTION¶
openvpn-vulnkey
checks a key against a
blacklist of compromised keys.
A substantial number of keys are known to have been generated using a broken
version of OpenSSL distributed by Debian which failed to seed its random
number generator correctly. Keys generated using these OpenSSL versions should
be assumed to be compromised. This tool may be useful in checking for such
OpenVPN shared static keys. See
openssl-vulnkey(1) for details on checking
SSL/TLS certificates.
Keys that are compromised cannot be repaired; replacements must be generated
using
openvpn(8). Shared keys can be regenerated
with:
$ openvpn --genkey --secret
file
The options are as follows:
-q
- Quiet mode. openvpn-vulnkey(1). Normally,
openvpn-vulnkey
outputs the fingerprint
of each key scanned, with a description of its status. This option
suppresses that output.
The blacklist file may start with comments, on lines starting with
“#”. After these initial comments, it must follow a strict
format:
- Each line must consist of the lower-case hexadecimal MD5 key fingerprint,
and with the first 12 characters removed (that is, the least significant
80 bits of the fingerprint).
The key fingerprint may be generated using
$ cat file.pem | sed '/^[^0-9a-f]/d'
| md5sum | cut -d ' ' -f 1
This strict format is necessary to allow the blacklist file to be checked
quickly.
SEE ALSO¶
openvpn(8)
openssl-vulnkey(1)
AUTHORS¶
Jamie Strandboge
⟨jamie@ubuntu.com⟩
Much of this manpage is based on Colin Watson's
ssh-vulnkey(1)