Educause Security Discussion mailing list archives
Re: Any special preparations in anticipation of KB2661254 (Key Length) patch?
From: "Campbell, Josh" <jcampbell () FGCU EDU>
Date: Wed, 12 Sep 2012 21:00:14 +0000
I haven't tried it yet, but it looks like nmap should be able to handle this task as well. The –sV scan option can identify SSL services and then it looks like you can use this NSE script to check key length on the hosts you identified: http://nmap.org/nsedoc/scripts/ssl-cert.html -- Josh Campbell Systems Administrator Business Technology Services Florida Gulf Coast University Griffin Hall 129 239-590-1235 Never give out your username or password to anyone. From: David Lundy <dlundy () PACIFIC EDU<mailto:dlundy () PACIFIC EDU>> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Wednesday, September 12, 2012 4:18 PM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Any special preparations in anticipation of KB2661254 (Key Length) patch? Marty: We use a vulnerability scanner from Digital Defense on our server VLANs. This scanner notes the certs it sees on each server along with other information related to vulnerabilities. We were able to discover several certs that had key length less than 1024 bits by going through the scan results. We then notified server administrators of the indicated servers. We expect to do follow up on remediation. David Lundy ------ David Lundy Assistant IT Security Officer Office of Information Technology University of the Pacific Stockton, CA 95211 Email: dlundy () pacific edu<mailto:dlundy () pacific edu> Voice: 209-946-3951 Fax: 209-946-2898 On Wed, Sep 12, 2012 at 1:53 PM, Martin Manjak <mmanjak () albany edu<mailto:mmanjak () albany edu>> wrote: MS will release their Update for Minimum Certificate Key Length to WSUS next month. I'm curious about any special preparations anyone may have taken to identify certs within their domains that may not meet the new minimum key length standard (1024). Embedded devices, if using SSL, come to mind as a potential source of problems. Also, is anyone briefing their Help Desk staff on how to respond to callers who report that they can't connect to sites because of the new requirement? It's hard to tell how much is going to break with this update. Marty -- Martin Manjak CISSP, GIAC GSEC-G Information Security Officer University at Albany MSC 209 518/437-3813<tel:518%2F437-3813> The University at Albany will never ask you to reveal your password. Please ignore all such requests.
Current thread:
- Any special preparations in anticipation of KB2661254 (Key Length) patch? Martin Manjak (Sep 12)
- Re: Any special preparations in anticipation of KB2661254 (Key Length) patch? Hanson, Mike (Sep 12)
- Re: Any special preparations in anticipation of KB2661254 (Key Length) patch? Gary Flynn (Sep 12)
- Re: Any special preparations in anticipation of KB2661254 (Key Length) patch? David Lundy (Sep 12)
- Re: Any special preparations in anticipation of KB2661254 (Key Length) patch? Campbell, Josh (Sep 12)
- Re: Any special preparations in anticipation of KB2661254 (Key Length) patch? Louis APONTE (Sep 12)
- Re: Any special preparations in anticipation of KB2661254 (Key Length) patch? Hanson, Mike (Sep 12)