Finding weak Debian SSL certs on your domains...


New Member
You may be aware of the big commotion caused by the bug that Debian introduced into its package of OpenSSL which has caused all SSL certificates generated by a Debian-based or Debian-derived system since some time in 2006 to be compromised due to lack or sufficient entropy (coverage: slashdot, register).

In short, you need to check that certificates on your system are not affected by the bug, even if you have always been using the CentOS setup here, because any cert created by a Debian system and then transfered onto yours makes your server vulnerable. Depending on the number of domains and certs you have this could be a massive process.

I found this post on a Windows app which will help you scan for certificates which are affected by the bug (which you then need to have regenerated).

You download that zip file and then you need to add to it the cert blacklists which have been generated by the Ubuntu team. To do this you go to:

Download the most recent package there and untar it. Find the files named "blacklist.RSA-1024" and "blacklist.RSA-2048" in that package and then copy them over to the directory where you have the sslscan program. Then follow the directions to run the sslscan program and scan your domains.

I imagine there are also linux apps to do this same thing but I found this convenient for Windows users.