Comment 25 for bug 230197

Out of curiosity I had a brief look at the openssl-vulnkey script and found the following:

The openssl-vulnkey is implemented as a wrapper around the openssl binary in order to check for weak keys.
One of the problems that occur when wrapping the openssl binary instead of making use of the openssl libraries is passing the password to it in a secure manner.

man openssl
"
 Several commands accept password arguments, typically using -passin and
       -passout for input and output passwords respectively. These allow the
       password to be obtained from a variety of sources. Both of these
       options take a single argument whose format is described below. If no
       password argument is given and a password is required then the user is
       prompted to enter one: this will typically be read from the current
       terminal with echoing turned off.

       pass:password
                 the actual password is password. Since the password is visi‐
                 ble to utilities (like ’ps’ under Unix) this form should only
                 be used where security is not important.
"

The openssl-vulnkey calls three functions (get_type, get_bits and get_modulus) in order to get the information it needs in order to check for weak keys.
Each function needs to decrypt the key to get it's information. Hence the three pass phrase questions.

Renaming the openvpn-vulnkey to openssl-vulnkey is just as bad as replacing the openssl-vulnkey with /bin/true and should be avoided if you have not checked your keys manually and made sure their all OK.

So until the script is modified/fixed we're stuck with either
- typing the password three times
- replacing the openssl-vulnkey binary

/Patrik