sourCEntral -   <div class="manpages" id="manpage"> <a href="%$(PREFIX)$%1+OPENVPN-VULNKEY">OPENVPN-VULNKEY(1)</a> BSD General Commands Manual <a href="%$(PREFIX)$%1+OPENVPN-VULNKEY">OPENVPN-VULNKEY(1)</a> NAME openvpn-vulnkey — check blacklist of compromised keys SYNOPSIS openvpn-vulnkey [−q] file ... DESCRIPTION openvpn-vulnkey checks a key against a blacklist of compromised keys. A substantial number of keys are known to have been generated using a broken version of OpenSSL distributed by Debian which failed to seed its random number generator correctly. Keys generated using these OpenSSL versions should be assumed to be compromised. This tool may be useful in checking for such OpenVPN shared static keys. See <a href="%$(PREFIX)$%1+openssl-vulnkey">openssl-vulnkey(1)</a> for details on checking SSL/TLS certificates. Keys that are compromised cannot be repaired; replacements must be generated using <a href="%$(PREFIX)$%8+openvpn">openvpn(8)</a>. Shared keys can be regenerated with: $ openvpn --genkey --secret file Quiet mode. <a href="%$(PREFIX)$%1+openvpn-vulnkey">openvpn-vulnkey(1)</a>. Normally, openvpn-vulnkey outputs the fingerprint of each key scanned, with a description of its status. This option suppresses that output. BLACKLIST MD5SUM FORMAT The blacklist file may start with comments, on lines starting with ‘‘#’’. After these initial comments, it must follow a strict format: • Each line must consist of the lower-case hexadecimal MD5 key fingerprint, and with the first 12 characters removed (that is, the least significant 80 bits of the fingerprint). The key fingerprint may be generated using $ cat file.pem | sed ’/^[^0-9a-f]/d’ | md5sum | cut -d ’ ’ -f 1 This strict format is necessary to allow the blacklist file to be checked quickly. SEE ALSO <a href="%$(PREFIX)$%8+openvpn">openvpn(8)</a> <a href="%$(PREFIX)$%1+openssl-vulnkey">openssl-vulnkey(1)</a> AUTHORS Jamie Strandboge 〈 jamie AT ubuntu DOT com〉 Much of this manpage is based on Colin Watson’s <a href="%$(PREFIX)$%1+ssh-vulnkey">ssh-vulnkey(1)</a> BSD December 20, 2012 BSD </div>

OPENVPN-VULNKEY(1) BSD General Commands Manual OPENVPN-VULNKEY(1)

NAME

openvpn-vulnkey — check blacklist of compromised keys

SYNOPSIS

openvpn-vulnkey [−q] file ...

DESCRIPTION

openvpn-vulnkey checks a key against a blacklist of compromised keys.

A substantial number of keys are known to have been generated using a broken version of OpenSSL distributed by Debian which failed to seed its random number generator correctly. Keys generated using these OpenSSL versions should be assumed to be compromised. This tool may be useful in checking for such OpenVPN shared static keys. See openssl-vulnkey(1) for details on checking SSL/TLS certificates.

Keys that are compromised cannot be repaired; replacements must be generated using openvpn(8). Shared keys can be regenerated with:

$ openvpn --genkey --secret file

Quiet mode. openvpn-vulnkey(1). Normally, openvpn-vulnkey outputs the fingerprint of each key scanned, with a description of its status. This option suppresses that output.

BLACKLIST MD5SUM FORMAT

The blacklist file may start with comments, on lines starting with ‘‘#’’. After these initial comments, it must follow a strict format:

•

Each line must consist of the lower-case hexadecimal MD5 key fingerprint, and with the first 12 characters removed (that is, the least significant 80 bits of the fingerprint).

The key fingerprint may be generated using

$ cat file.pem | sed ’/^[^0-9a-f]/d’ | md5sum | cut -d ’ ’ -f 1

This strict format is necessary to allow the blacklist file to be checked quickly.

SEE ALSO

openvpn(8) openssl-vulnkey(1)

AUTHORS

Jamie Strandboge 〈 jamie AT ubuntu DOT com〉

Much of this manpage is based on Colin Watson’s ssh-vulnkey(1)

BSD December 20, 2012 BSD

pdf

sourCEntral - mobile manpages