[faangsticle]

Are there other ways to get these logs?

[agwa]

You can query logs directly using the API described in RFC 6962: https://datatracker.ietf.org/doc/html/rfc6962#section-4

You'll need a list of logs to query. Chrome publishes their log list at: https://www.gstatic.com/ct/log_list/v3/log_list.json

My company offers a higher-level API for querying by domain name: https://sslmate.com/ct_search_api/

[AdamJacobMuller]

I haven't found any, yet. I would love to have a list of domains affected by this to cross-check that none of my issued certificates were affected by this.

[schoen]

The list of all affected SHA256 fingerprints is in https://bug1838667.bmoattachments.org/attachment.cgi?id=9340...

You can get the SHA256 fingerprint for your certificate by running

  openssl x509 -in mycert.pem -sha256 -fingerprint -noout 

If you don't like the format,

  openssl x509 -in mycert.pem -sha256 -fingerprint -noout | cut -d= -f2 | tr -d : | tr A-F a-f

will match the format in the list of affected certificates more closely.

If you need to do this against a web server and don't already have a copy of the certificate locally, something like

  echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null <&- | openssl x509 -sha256 -fingerprint -noout | cut -d= -f2 | tr -d : | tr A-F a-f

(This example outputs the actual SHA256 fingerprint for the real domain example.com, which is not affected.)

[agwa]

Here's a list of affected DNS names: https://gist.github.com/AGWA/5b02c2bb07fc847733fa2a5c1931c4f...

[AdamJacobMuller]

Thank you and much appreciated, fortunately had no affected certs. I guess I need to spend some time implementing ARI :)