« May 2013 | Main | July 2013 »

4 posts from June 2013


Check Public Key Bit Length With This

Update: There is an updated version of this script located on my post: Here's a New Version of skeypatrol.pl

With only about 6 months left before Certificate Authorities stop supporting certificates with 1024-bit keys, I thought it would be neat to find a quicker way than using OpenSSL's s_client or a web browser to determine whether or not the server certificate on a web site needed to be replaced. Believe me, if you have a bunch of sites, visiting all of them with browser, click the lock icon, and then view the certificate details gets really tedious after the first 5 or 10 sites.

So, here's a new script, skeypatrol.pl, based on work I did in cryptonark, and this functionality will make it into the next cnark release in a week or so. The initial version outputs the size of the public key included in the ssl certificate. Other than a tcp handshake and a TLS handshake, no requests are sent to the server. If the number of bits in the cert is below 2048, the script's output will be colored red, (or whatever color your terminal theme decides is "RED").

#!/usr/bin/env perl

use Modern::Perl;
use Term::ANSIColor qw(:constants);
use IO::Socket::SSL 1.33 'debug0';
use Mozilla::CA;
use Getopt::Long;
#use Data::Dumper;

my $scriptname = "skeypatrol.pl";
my $version = "v0.1";
my ( $host, $port );
my $insecure = '';
my $verifymode = 2;
my $pkeybits;
my $sslclient;
my $x509;

sub usage{
    say "Usage: $scriptname <host> <port>\n\t\t-h|--host\tSSL host or common name \n\t\t-p|--port\tPort number site listens on (e.g. 443)\n\t\t-i|--insecure\tDo not verify certificates";

usage() if ( ! GetOptions("h|host=s" => \$host, "p|port=s" => \$port, "i|insecure" => $insecure ) or ( ! defined $host ) or ( ! defined $port ) );

if ( $insecure eq 1 ) {
    $verifymode = 0;

sub key_length {
    if ( $pkeybits lt 2048 ) {
        print RED, "Certificate for $host uses a $pkeybits bit key\n", RESET;
    else {
        print GREEN, "Certificate for $host uses a $pkeybits bit key\n", RESET;

sub ssl_client {
    $sslclient = IO::Socket::SSL->new(
        PeerHost => "$host:$port",
        SSL_ca_file => Mozilla::CA::SSL_ca_file(),
        SSL_verify_mode => $verifymode,
        SSL_version => 'TLSv1',
        SSL_cipher => 'RC4-SHA',
        Proto => 'tcp',
        Timeout => '15'
            ||die("Certificate Peer Verification Failed.\n$!,$SSL_ERROR\n\nRun $scriptname with the -i|--insecure switch if you wish to disable certificate validation\n\n");
            $sslclient->verify_hostname($host, "http")
                ||die("Hostname verification failed.\n$host does not match common name on certificate.\nYou can bypass this by passing the -i|--insecure switch to $scriptname\n\n");
        say "Certificate Peer Validation Successful";

        $x509 = get_cert($sslclient);

sub get_cert {
    my $sslclient = shift()->_get_ssl_object || return;
    return Net::SSLeay::get_peer_certificate($sslclient);

sub get_key_size {
    $pkeybits = Net::SSLeay::EVP_PKEY_bits(Net::SSLeay::X509_get_pubkey($x509));


#Begin perldoc


=head1 TITLE


=head1 VERSION

Version 0.1

=head1 DATE

June 24, 2013

=head1 AUTHOR

Chris Mahns Contact me at: techstacks [at] gmail [dot] com or follow me on Twitter: @techstacks


skeypatrol.pl was written because I wanted to know whether the public key at the end of the ssl connection was 1024 bits or not. This is useful in case you're looking to know what ssl certificates you need to replace before they stop working on January 1, 2014.

=head1 USAGE

skeypatrol.pl --host <host_to_scan> --port <port_number>

Both parameters are required in this version and I assume that the script is marked user-executable.


CPAN modules Modern::Perl, Term::ANSIColor, IO::Socket::SSL, Getopt::Long, and Mozilla::CA are used. If you have already used cryptonark, you've already got these.


=head2 VERSION 0.1

+ Initial release.



CryptoNark 0.4.8 Released

So, it has been quite a while since I last posted an update to CryptoNark. Over one year actually. During that time, there have been quite a few high profile vulnerabilities like BEAST, CRIME, TLS Renegotiation. There have also been quite a few improvements to SSL/TLS during that time. OpenSSL 1.0 introduced support for TLS1.2, for example. Today, I'm posting the availability of cryptonark v0.4.8.

Changes and enhancements in CryptoNark v0.4.8:

  • All non-SSL related functionality has been removed from CryptoNark. I personally use it primarily as an ssl tool and there are other tools out there that do a better job of scanning for unsafe URLs or TRACE/TRACK vulnerabilities. Normally, I will use one of my own scripts dedicated to those tasks any way and rarely used cnark's -xl option.
  • Removing the -xl/--kitchen-sink options negates the needs for CPAN modules XML::LibXML, HTTP::Headers, and HTTP::Request.
  • Added OpenSSL version detection. Nothing fancy here but if your openssl version is 1.0.0 or greater. CryptoNark will scan with TLS 1.2 ciphers in addition to SSL2, SSL3, and TLS1.
  • Added elliptic curve (ECDH/ECDHE) cipher suites to SSL3/TLS1/TLS1.2 scans.
  • MD5 ciphers are now flagged as weak.

You can download a copy from the Downloads page and thanks a lot for giving cryptonark a try!


Apache Tomcat 7.0.41 Released

The Apache Tomcat team announced the release of Tomcat 7.0.41 today. The changelog lists about 30 fixes and enhancements including a new servlet filter that provides support for Cross-Origin Resource Sharing.

Download source and binaries from a mirror near you.