SSL Certificate Chain Contains RSA Keys Less Than 2048 bits

[freb]

In order to validate this issue, you have to retrive all intermediate certificates as well. Unfortunately, the Nmap sslcert library only supports retrieving the final cert.

Here is my bash script for validating this:

pt-ssl-cert-rsa-size() {
printf '%s ' 'If you continue, all *.pem files in current directory will be deleted. Are you sure? (y/n) '
read ans
echo
if [[ ! $ans =~ ^[Yy]$ ]]
then
    echo "exiting"
    return
fi

rm *.pem

for host in "$@"; do
    echo "$host:"
    # Download all certs, including intermediate, from HOSTNAME. Files are called cert0.pem, cert1.pem, based on chain number.
    openssl s_client -showcerts -verify 5 -connect "$host":443 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".pem"; print >out}'

    # Loop through downloaded certs and get RSA key sizes.
    for f in *.pem; do
        DATA=$(openssl x509 -in $f -text -noout)
        if echo $DATA | grep --quiet "Public Key Algorithm: rsaEncryption"; then
            echo $DATA | grep "RSA Public-Key:"
        else
            echo "(not RSA)"
        fi
    done
done
}

[freb]

Note, the nmap ssl-enum-ciphers script actually seems to get all certificates, but it has TODO's for reordering them and further validation.

Look for:

local certs = get_body(handshake, "type", "certificate")