path: root/scripts/mail-weak-keys.php
diff options
authorBernhard Fröhlich <>2011-04-08 22:54:31 +0200
committerBernhard Fröhlich <>2011-04-08 22:54:31 +0200
commit6dd75856f30923879eb01bc94ae7a735dc413063 (patch)
treeb2278600cae566c2f6c7c09156882e08d42c15b2 /scripts/mail-weak-keys.php
parent949ae23c8343c139ef3a27790c7f5e9bd1ee6206 (diff)
First version of mailing script added
Diffstat (limited to 'scripts/mail-weak-keys.php')
1 files changed, 33 insertions, 0 deletions
diff --git a/scripts/mail-weak-keys.php b/scripts/mail-weak-keys.php
new file mode 100755
index 0000000..f8909c9
--- /dev/null
+++ b/scripts/mail-weak-keys.php
@@ -0,0 +1,33 @@
+#!/usr/bin/php -q
+<? # Companion script to, takes output and sends a mail to each owner of a weak cert
+ $action_date = '2011-04-??';
+ $in = fopen("php://stdin", "r");
+ while($in_string = rtrim(fgets($in, 255))) {
+ list($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial) = explode("\t", $in_string);
+ $mail_text =
+"Dear $owner_name,
+CAcert recently became aware that some of the server certficates signed by CAcert =pose a security risk because they are backed by private keys that are vulnerable to attack.
+The security issues identified are:
+Private keys with a small key size. These keys are vulnerable to brute force attack.
+Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks.
+Private keys generated by a compromised version of OpenSSL distributed by Debian.
+You received this email because a certificate issued to you is vulnerable:
+Serial $cert_serial, expiring $cert_expire, CN $cert_CN
+To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date. CAcert will no longer accept vulnerable certificate requests for signing. In future all Certficate Signing Requests must be backed by private keys with a key length at least 2048 bits and no other known vulnerabilities.
+You should submit a new Certificate Signing Request of acceptable strength as soon as possible and replace your existing certificate.
+If you are interested in background information on this change please refer to this document
+ echo $mail_text;
+ }
+ fclose($in);