Example: Searching for certificate instances that are vulnerable to known attacks¶
You can search for certificate instances that are vulnerable to web attacks, and then install the appropriate patches from the vendor. This example shows you how to search for POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerabilities. However, Venafi Cloud can use any of these parameters to search:
- heartbleed
- logjamVulnerable
- poodleVulnerable
- poodleTlsVulnerable
To search for certificate instances that are vulnerable to known attacks
-
If you have not already done so, obtain an API key.
-
Use the
certificateinstancefunction and the appropriate JSON body (next step). For example:POST https://api.venafi.cloud/v1/certificateinstance tppl-api-key: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -
In the JSON body, specify a condition operator with true or false for the poodleVulnerable. For additional help, use the parameter descriptions from our
documentation. For example:
Example JSON body
{
"expression":{
"operands":[
{
"field":"poodleVulnerable",
"operator":"EQ",
"value":"true"
}
]
},
"ordering":{
"orders":[
{
"direction":"ASC",
"field":"subjectCN"
},
{
"direction":"DESC",
"field":"keyStrength"
}
]
},
"paging":{
"pageNumber":0,
"pageSize":1
}
}
{
"count":1,
"instances":[
{
"id":"80c61360-2faa-11e7-bbb8-d7e9aadda3cb",
"certificateId":"80c30620-2faa-11e7-bbb8-d7e9aadda3cb",
"companyId":"9c731a20-2f8e-11e7-be41-1507c9a9e451",
"zoneId":"9c7dc881-2f8e-11e7-be41-1507c9a9e451",
"fingerprint":"5DE3432B00F9CE2399AB7163676520C6774EA622",
"certificateSource":"TRUSTNET_SCAN",
"certificateStatuses":[
"NONE"
],
"creationDate":"2017-05-03T02:45:00.950+0000",
"modificationDate":"2017-05-03T02:45:00.950+0000",
"ipAddress":"127.0.0.1",
"ipAddressAsLong":2927720739,
"hostname":" ",
"port":443,
"sslProtocols":[
"SSLv2",
"SSLv3",
"TLSv1"
],
"cipherSuites":[
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_RC4_128_MD5",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"PCT_SSL_CERT_TYPE"
],
"heartbleedVulnerable":false,
"logjamVulnerable":false,
"poodleVulnerable":true,
"poodleTlsVulnerable":false,
"hstsEnabled":false,
"alpnEnabled":false,
"forwardSecrecyEnabled":true,
"npnEnabled":false,
"ocspStaplingEnabled":false,
"renegotiationEnabled":false,
"secureRenegotiationSupported":true,
"tnLastUpdated":"2017-05-03T02:43:14.171+0000",
"lastScanDate":"2017-03-05T11:00:00.000+0000",
"sslProtocolsSecurityStatus":"DEPRECATED",
"cipherSuitesSecurityStatus":"DEPRECATED",
"compliance":{
"score":0
},
"certificate":{
"id":"80c30620-2faa-11e7-bbb8-d7e9aadda3cb",
"companyId":"9c731a20-2f8e-11e7-be41-1507c9a9e451",
"fingerprint":"5DE3432B00F9CE2399AB7163676520C6774EA622",
"certificateSource":"TRUSTNET_SCAN",
"certificateStatuses":[
"NONE"
],
"certificateType":"END_ENTITY",
"creationDate":"2017-05-03T02:45:00.930+0000",
"modificationDate":"2017-05-03T02:45:00.930+0000",
"totalInstanceCount":1,
"validityStart":"2017-01-25T17:01:32.000+0000",
"validityEnd":"2018-01-25T17:01:32.000+0000",
"validityPeriodDays":365,
"validityPeriodRange":"GT_30_DAYS_LTE_2_YEARS",
"selfSigned":false,
"signatureAlgorithm":"SHA256_WITH_RSA_ENCRYPTION",
"signatureHashAlgorithm":"SHA256",
"encryptionType":"RSA",
"keyStrength":2048,
"publicKeyHash":"F7B78F7471AB2EED777CD488377E32A90B9DB530",
"subjectKeyIdentifierHash":"8C8ADFDDDB849486A8E003A270D0785918E79EE2",
"authorityKeyIdentifierHash":"CC338779405F8AD8846161E347F5EADDDC9FC2E1",
"serialNumber":"1F3EBEFB0001000080C6",
"subjectCN":[
"iisUSPS13.lab.venafi.com"
],
"subjectST":"UT",
"subjectL":"Salt Lake City",
"subjectC":"US",
"subjectAlternativeNamesByType":{
"otherName":[
],
"rfc822Name":[
],
"dNSName":[
],
"x400Address":[
],
"directoryName":[
],
"ediPartyName":[
],
"uniformResourceIdentifier":[
],
"iPAddress":[
],
"registeredID":[
]
},
"issuerCN":[
"traininglab-Root-CA"
],
"keyUsage":[
"digitalSignature",
"keyEncipherment"
],
"ocspNoCheck":false,
"compliance":{
"score":0.7691358024691359
}
}
}
]
}