Alex Samad wrote: On Thu, May 15, 2008 at 07:43:13PM -0400, Chris Adams wrote:On May 15, 2008, at 6:25 PM, Alex Samad wrote:is there away to check x509 certs with these tools ?Yes - the wiki has one (http://wiki.debian.org/SSLkeys) but you might prefer the openssl-blacklist package which Ubuntu prepared: https://launchpad.net/ubuntu/+source/openssl-blacklist/ It runs out of the box on Debian and if you edit debian/control to change the openssl dependency from the Ubuntu version (0.9.8g-4ubuntu3.1) to the Debian version (0.9.8c-4etch3) you can dpkg- buildpackage it and deploy it to multiple systems. I used it like this to flush out Apache keys: sudo find /etc/ -xdev -type f -name \*.key -exec openssl-vulnkey {} \;I have done this and check some .key files, but they show up as not blacklisted, when I know they have been created in the last 12 months. I thought I read some where the keys are different depending on weather it was generated on a 32b or 64b system. You might want to update the blacklist with the 64b generated keysChris From what I understand ssh-vulnkey only check to see if a key is listed in the blacklist (already compromised). Is there any way to empirically test whether a key is vulnerable or not? --Jim |