On 14/05/18 11:39, Jakob Bohm via dev-security-policy wrote:
On 14/05/2018 10:42, Hanno Böck wrote:
Yesterday was the 10y anniversary of the Debian OpenSSL random number
A few days ago I did a re-check of the CT logs for vulnerable keys.
I found one unexpired, unrevoked certificate issued by a CA called
"QuoVadis". I reported it and it's been revoked, they told me they'll
check their systems why this certificate issuance wasn't blocked.
I also found an unrevoked Wosign cert that I had already reported last
year. The abuse contact of wosign bounces mails.
(My check was semi-thorough, I didn't have access to all the possible
key combinations that could be generated with the Debian bug. There may
be more certs in the logs.)
You could try the openssl-blacklist package distributed by Debian in
both source and prepackaged form. If you use the packaged form, be sure
to include the openssl-blacklist-extra package which contains the lists
of RSA-4096 and RSA-512 keys.
Their included checking program (in the .diff file) is in Python.
Today I've added a Debian weak key check feature to crt.sh. I augmented
Debian's original blacklists with some other blacklists I generated
~10yrs ago for a few less common key sizes .
I'm currently running the check against all of the certs on the crt.sh
DB. I'll report back once this has completed.
Senior Research & Development Scientist
dev-security-policy mailing list