[cacert-devel.git] / scripts / mail-weak-keys.php
1 #!/usr/bin/php -q
2 <? # Companion script to DumpWeakCerts.pl, takes output and sends a mail to each owner of a weak cert
4 $action_date = '2011-04-??';
5 $in = fopen("php://stdin", "r");
6 while($in_string = rtrim(fgets($in, 255))) {
7 list($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial) = explode("\t", $in_string);
9 $mail_text =
10 "Dear $owner_name,
12 CAcert recently became aware that some of the server certficates signed by CAcert =pose a security risk because they are backed by private keys that are vulnerable to attack.
14 The security issues identified are:
15 Private keys with a small key size. These keys are vulnerable to brute force attack.
16 Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks.
17 Private keys generated by a compromised version of OpenSSL distributed by Debian.
19 You received this email because a certificate issued to you is vulnerable:
21 Serial $cert_serial, expiring $cert_expire, CN $cert_CN
23 To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date. CAcert will no longer accept vulnerable certificate requests for signing. In future all Certficate Signing Requests must be backed by private keys with a key length at least 2048 bits and no other known vulnerabilities.
25 You should submit a new Certificate Signing Request of acceptable strength as soon as possible and replace your existing certificate.
27 If you are interested in background information on this change please refer to this document http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf
28 --------------------
29 ";
30 echo $mail_text;
31 }
32 fclose($in);
33 ?>