2011-06-16 09:20:13 +00:00
|
|
|
#!/usr/bin/php -q
|
|
|
|
<? # Companion script to DumpWeakCerts.pl, takes output and sends a mail to each owner of a weak cert
|
|
|
|
|
|
|
|
function SendServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) {
|
|
|
|
$mail_text =
|
|
|
|
"Dear $owner_name,
|
|
|
|
|
|
|
|
CAcert recently became aware that some of the certificates signed by CAcert pose a security
|
|
|
|
risk because they are backed by private keys that are vulnerable to attack.
|
|
|
|
|
|
|
|
The security issues identified are:
|
|
|
|
Private keys with a small key size. These keys are vulnerable to brute force attack.
|
|
|
|
Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks.
|
|
|
|
Private keys generated by a compromised version of OpenSSL distributed by Debian.
|
|
|
|
|
|
|
|
You received this email because a certificate issued to you is vulnerable:
|
|
|
|
|
|
|
|
Server Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN
|
|
|
|
|
|
|
|
To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date.
|
2013-11-06 16:28:19 +00:00
|
|
|
CAcert will no longer accept vulnerable certificate requests for signing. In future all Certificate
|
2011-06-16 09:20:13 +00:00
|
|
|
Signing Requests must be backed by private keys with a key length at least 2048 bits and no other known vulnerabilities.
|
|
|
|
|
|
|
|
You should submit a new Certificate Signing Request of acceptable strength as soon as possible
|
|
|
|
and replace your existing certificate.
|
|
|
|
|
|
|
|
If you are interested in background information on this change please refer to this document:
|
|
|
|
http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf
|
|
|
|
|
|
|
|
Kind regards
|
|
|
|
CAcert Suport Team
|
|
|
|
";
|
|
|
|
mail($cert_email, "[CAcert.org]CAcert Server Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org");
|
|
|
|
}
|
|
|
|
|
|
|
|
function SendClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) {
|
|
|
|
$mail_text =
|
|
|
|
"Dear $owner_name,
|
|
|
|
|
|
|
|
CAcert recently became aware that some of the certificates signed by CAcert pose a security
|
|
|
|
risk because they are backed by private keys that are vulnerable to attack.
|
|
|
|
|
|
|
|
The security issues identified are:
|
|
|
|
Private keys with a small key size. These keys are vulnerable to brute force attack.
|
|
|
|
Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks.
|
|
|
|
Private keys generated by a compromised version of OpenSSL distributed by Debian.
|
|
|
|
|
|
|
|
You received this email because a certificate issued to you is vulnerable:
|
|
|
|
|
|
|
|
Client Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN
|
|
|
|
|
|
|
|
To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date.
|
|
|
|
CAcert will no longer accept vulnerable certificate requests for signing. In future all
|
2013-11-06 16:28:19 +00:00
|
|
|
client certificates must be backed by private keys with a key length at least 1024 bits
|
2011-06-16 09:20:13 +00:00
|
|
|
and no other known vulnerabilities.
|
|
|
|
|
|
|
|
This means that you should replace your current certificate with a new one of acceptable strength.
|
|
|
|
If you use Firefox or Chrome, select 'Keysize: High Grade' before 'Create Certificate Request'.
|
|
|
|
If you use Internet Explorer, select 'Microsoft Strong Cryptographic Provider'. If you select an
|
2013-11-06 16:28:19 +00:00
|
|
|
option that generates a weak key (eg 'Microsoft Base Cryptographic Provider v1.0') your certificate
|
2011-06-16 09:20:13 +00:00
|
|
|
request will be rejected.
|
|
|
|
|
|
|
|
Kind regards
|
|
|
|
CAcert Suport Team
|
|
|
|
";
|
|
|
|
mail($cert_email, "[CAcert.org]CAcert Client Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org");
|
|
|
|
}
|
|
|
|
|
|
|
|
function SendOrgServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) {
|
|
|
|
$mail_text =
|
|
|
|
"Dear $owner_name,
|
|
|
|
|
|
|
|
CAcert recently became aware that some of the certificates signed by CAcert pose a security
|
|
|
|
risk because they are backed by private keys that are vulnerable to attack.
|
|
|
|
|
|
|
|
The security issues identified are:
|
|
|
|
Private keys with a small key size. These keys are vulnerable to brute force attack.
|
|
|
|
Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks.
|
|
|
|
Private keys generated by a compromised version of OpenSSL distributed by Debian.
|
|
|
|
|
|
|
|
You received this email because a certificate issued to you is vulnerable:
|
|
|
|
|
|
|
|
Organisation Server Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN
|
|
|
|
|
|
|
|
To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date.
|
2013-11-06 16:28:19 +00:00
|
|
|
CAcert will no longer accept vulnerable certificate requests for signing. In future all Certificate
|
2011-06-16 09:20:13 +00:00
|
|
|
Signing Requests must be backed by private keys with a key length at least 2048 bits and no other known vulnerabilities.
|
|
|
|
|
|
|
|
You should submit a new Certificate Signing Request of acceptable strength as soon as possible
|
|
|
|
and replace your existing certificate.
|
|
|
|
|
|
|
|
If you are interested in background information on this change please refer to this document:
|
|
|
|
http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf
|
|
|
|
|
|
|
|
Kind regards
|
|
|
|
CAcert Suport Team
|
|
|
|
";
|
|
|
|
mail($cert_email, "[CAcert.org]CAcert Organisation Server Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org");
|
|
|
|
}
|
|
|
|
|
|
|
|
function SendOrgClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) {
|
|
|
|
$mail_text =
|
|
|
|
"Dear $owner_name,
|
|
|
|
|
|
|
|
CAcert recently became aware that some of the certificates signed by CAcert pose a security
|
|
|
|
risk because they are backed by private keys that are vulnerable to attack.
|
|
|
|
|
|
|
|
The security issues identified are:
|
|
|
|
Private keys with a small key size. These keys are vulnerable to brute force attack.
|
|
|
|
Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks.
|
|
|
|
Private keys generated by a compromised version of OpenSSL distributed by Debian.
|
|
|
|
|
|
|
|
You received this email because a certificate issued to you is vulnerable:
|
|
|
|
|
|
|
|
Organisation Client Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN
|
|
|
|
|
|
|
|
To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date.
|
|
|
|
CAcert will no longer accept vulnerable certificate requests for signing. In future all
|
2013-11-06 16:28:19 +00:00
|
|
|
client certificates must be backed by private keys with a key length at least 1024 bits
|
2011-06-16 09:20:13 +00:00
|
|
|
and no other known vulnerabilities.
|
|
|
|
|
|
|
|
This means that you should replace your current certificate with a new one of acceptable strength.
|
|
|
|
If you use Firefox or Chrome, select 'Keysize: High Grade' before 'Create Certificate Request'.
|
|
|
|
If you use Internet Explorer, select 'Microsoft Strong Cryptographic Provider'. If you select an
|
2013-11-06 16:28:19 +00:00
|
|
|
option that generates a weak key (eg 'Microsoft Base Cryptographic Provider v1.0') your certificate
|
2011-06-16 09:20:13 +00:00
|
|
|
request will be rejected.
|
|
|
|
|
|
|
|
Kind regards
|
|
|
|
CAcert Suport Team
|
|
|
|
";
|
|
|
|
mail($cert_email, "[CAcert.org]CAcert Organisation Client Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org");
|
|
|
|
}
|
|
|
|
|
|
|
|
# Main
|
|
|
|
|
|
|
|
$num_domain = 0;
|
|
|
|
$num_client = 0;
|
|
|
|
$num_orgdomain = 0;
|
|
|
|
$num_orgclient = 0;
|
2011-06-26 19:59:18 +00:00
|
|
|
$action_date = '2011-07-15';
|
2011-06-16 09:20:13 +00:00
|
|
|
$in = fopen("php://stdin", "r");
|
|
|
|
while($in_string = rtrim(fgets($in, 255))) {
|
|
|
|
list($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial) = explode("\t", $in_string);
|
|
|
|
|
|
|
|
if ($cert_type == "DomainCert") {
|
|
|
|
SendServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date);
|
|
|
|
$num_domain++;
|
|
|
|
} else if ($cert_type == "EmailCert") {
|
|
|
|
SendClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date);
|
|
|
|
$num_client++;
|
|
|
|
} else if ($cert_type == "OrgServerCert") {
|
|
|
|
SendOrgServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date);
|
|
|
|
$num_orgdomain++;
|
|
|
|
} else if ($cert_type == "OrgEmailCert") {
|
|
|
|
SendOrgClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date);
|
|
|
|
$num_orgclient++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
fclose($in);
|
|
|
|
echo "Mails sent: $num_domain server certs, $num_client client certs, $num_orgdomain Org server certs, $num_orgclient Org client certs.\n";
|
|
|
|
?>
|