NAME

       openvpn-vulnkey — check blacklist of compromised keys

SYNOPSIS

       openvpn-vulnkey [-q] file ...

DESCRIPTION

       openvpn-vulnkey checks a key against a blacklist of compromised keys.

       A  substantial  number  of  keys  are  known  to  have  been  generated using a broken version of OpenSSL
       distributed by Debian which failed to seed its random number generator correctly.  Keys  generated  using
       these OpenSSL versions should be assumed to be compromised.  This tool may be useful in checking for such
       OpenVPN shared static keys. See openssl-vulnkey(1) for details on checking SSL/TLS certificates.

       Keys  that  are  compromised cannot be repaired; replacements must be generated using openvpn(8).  Shared
       keys can be regenerated with:

             $ openvpn --genkey --secret file

       The options are as follows:

       -q      Quiet mode.  openvpn-vulnkey(1).  Normally, openvpn-vulnkey outputs the fingerprint of  each  key
               scanned, with a description of its status.  This option suppresses that output.

BLACKLIST MD5SUM FORMAT

       The blacklist file may start with comments, on lines starting with “#”.  After these initial comments, it
       must follow a strict format:

             •   Each line must consist of the lower-case hexadecimal MD5 key fingerprint, and with the first 12
                 characters removed (that is, the least significant 80 bits of the fingerprint).

       The key fingerprint may be generated using

             $ cat file.pem | sed '/^[^0-9a-f]/d' | md5sum | cut -d ' ' -f 1

       This strict format is necessary to allow the blacklist file to be checked quickly.

SEE ALSO

       openvpn(8) openssl-vulnkey(1)

AUTHORS

       Jamie Strandboge <jamie@ubuntu.com>

       Much of this manpage is based on Colin Watson's ssh-vulnkey(1)

Debian                                            May 12, 2008                                OPENVPN-VULNKEY(1)