top | item 36441937 (no title) faangsticle | 2 years ago Are there other ways to get these logs? discuss order hn newest agwa|2 years ago You can query logs directly using the API described in RFC 6962: https://datatracker.ietf.org/doc/html/rfc6962#section-4You'll need a list of logs to query. Chrome publishes their log list at: https://www.gstatic.com/ct/log_list/v3/log_list.jsonMy company offers a higher-level API for querying by domain name: https://sslmate.com/ct_search_api/ AdamJacobMuller|2 years ago I haven't found any, yet. I would love to have a list of domains affected by this to cross-check that none of my issued certificates were affected by this. schoen|2 years ago The list of all affected SHA256 fingerprints is in https://bug1838667.bmoattachments.org/attachment.cgi?id=9340...You can get the SHA256 fingerprint for your certificate by running openssl x509 -in mycert.pem -sha256 -fingerprint -noout If you don't like the format, openssl x509 -in mycert.pem -sha256 -fingerprint -noout | cut -d= -f2 | tr -d : | tr A-F a-f will match the format in the list of affected certificates more closely.If you need to do this against a web server and don't already have a copy of the certificate locally, something like echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null <&- | openssl x509 -sha256 -fingerprint -noout | cut -d= -f2 | tr -d : | tr A-F a-f (This example outputs the actual SHA256 fingerprint for the real domain example.com, which is not affected.) agwa|2 years ago Here's a list of affected DNS names: https://gist.github.com/AGWA/5b02c2bb07fc847733fa2a5c1931c4f... load replies (1)
agwa|2 years ago You can query logs directly using the API described in RFC 6962: https://datatracker.ietf.org/doc/html/rfc6962#section-4You'll need a list of logs to query. Chrome publishes their log list at: https://www.gstatic.com/ct/log_list/v3/log_list.jsonMy company offers a higher-level API for querying by domain name: https://sslmate.com/ct_search_api/
AdamJacobMuller|2 years ago I haven't found any, yet. I would love to have a list of domains affected by this to cross-check that none of my issued certificates were affected by this. schoen|2 years ago The list of all affected SHA256 fingerprints is in https://bug1838667.bmoattachments.org/attachment.cgi?id=9340...You can get the SHA256 fingerprint for your certificate by running openssl x509 -in mycert.pem -sha256 -fingerprint -noout If you don't like the format, openssl x509 -in mycert.pem -sha256 -fingerprint -noout | cut -d= -f2 | tr -d : | tr A-F a-f will match the format in the list of affected certificates more closely.If you need to do this against a web server and don't already have a copy of the certificate locally, something like echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null <&- | openssl x509 -sha256 -fingerprint -noout | cut -d= -f2 | tr -d : | tr A-F a-f (This example outputs the actual SHA256 fingerprint for the real domain example.com, which is not affected.) agwa|2 years ago Here's a list of affected DNS names: https://gist.github.com/AGWA/5b02c2bb07fc847733fa2a5c1931c4f... load replies (1)
schoen|2 years ago The list of all affected SHA256 fingerprints is in https://bug1838667.bmoattachments.org/attachment.cgi?id=9340...You can get the SHA256 fingerprint for your certificate by running openssl x509 -in mycert.pem -sha256 -fingerprint -noout If you don't like the format, openssl x509 -in mycert.pem -sha256 -fingerprint -noout | cut -d= -f2 | tr -d : | tr A-F a-f will match the format in the list of affected certificates more closely.If you need to do this against a web server and don't already have a copy of the certificate locally, something like echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null <&- | openssl x509 -sha256 -fingerprint -noout | cut -d= -f2 | tr -d : | tr A-F a-f (This example outputs the actual SHA256 fingerprint for the real domain example.com, which is not affected.)
agwa|2 years ago Here's a list of affected DNS names: https://gist.github.com/AGWA/5b02c2bb07fc847733fa2a5c1931c4f... load replies (1)
agwa|2 years ago
You'll need a list of logs to query. Chrome publishes their log list at: https://www.gstatic.com/ct/log_list/v3/log_list.json
My company offers a higher-level API for querying by domain name: https://sslmate.com/ct_search_api/
AdamJacobMuller|2 years ago
schoen|2 years ago
You can get the SHA256 fingerprint for your certificate by running
If you don't like the format, will match the format in the list of affected certificates more closely.If you need to do this against a web server and don't already have a copy of the certificate locally, something like
(This example outputs the actual SHA256 fingerprint for the real domain example.com, which is not affected.)agwa|2 years ago