diff options
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/mail-weak-keys.php | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/scripts/mail-weak-keys.php b/scripts/mail-weak-keys.php new file mode 100755 index 0000000..f8909c9 --- /dev/null +++ b/scripts/mail-weak-keys.php @@ -0,0 +1,33 @@ +#!/usr/bin/php -q +<? # Companion script to DumpWeakCerts.pl, takes output and sends a mail to each owner of a weak cert + + $action_date = '2011-04-??'; + $in = fopen("php://stdin", "r"); + while($in_string = rtrim(fgets($in, 255))) { + list($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial) = explode("\t", $in_string); + + $mail_text = +"Dear $owner_name, + +CAcert recently became aware that some of the server certficates signed by CAcert =pose a security risk because they are backed by private keys that are vulnerable to attack. + +The security issues identified are: +Private keys with a small key size. These keys are vulnerable to brute force attack. +Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks. +Private keys generated by a compromised version of OpenSSL distributed by Debian. + +You received this email because a certificate issued to you is vulnerable: + +Serial $cert_serial, expiring $cert_expire, CN $cert_CN + +To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date. CAcert will no longer accept vulnerable certificate requests for signing. In future all Certficate Signing Requests must be backed by private keys with a key length at least 2048 bits and no other known vulnerabilities. + +You should submit a new Certificate Signing Request of acceptable strength as soon as possible and replace your existing certificate. + +If you are interested in background information on this change please refer to this document http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf +-------------------- +"; + echo $mail_text; + } + fclose($in); +?> |