Bug 30545 - univention-certificate - defaults bits for key should be configurable
univention-certificate - defaults bits for key should be configurable
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SSL
UCS 3.1
Other Windows 7
: P5 enhancement (vote)
: UCS 3.2-3-errata
Assigned To: Felix Botner
Philipp Hahn
:
: 35588 36176 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-22 08:03 CET by Stephan Hendl
Modified: 2014-10-30 14:11 CET (History)
6 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
Increase certificate length to 2048 bit (858 bytes, patch)
2013-05-18 16:45 CEST, Jan Christoph Ebersbach
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Hendl 2013-02-22 08:03:08 CET
The default bit number for keys should be configurable via UCR. This time it is hard coded in the /usr/share/univention-ssl/make-certificates.sh script (around line 419). For some applications e.g. SCUP (Microsoft SCCM update publisher) one need a key length >=2048 bits.
Comment 1 Jan Christoph Ebersbach univentionstaff 2013-05-18 16:25:34 CEST
Same issue here, certificate authorities will not sign keys shorter than 2048 bits!
Comment 2 Jan Christoph Ebersbach univentionstaff 2013-05-18 16:45:46 CEST
Created attachment 5229 [details]
Increase certificate length to 2048 bit

Attention, after applying the patch, CA and certificates need to be recreated!
Comment 3 Jan Christoph Ebersbach univentionstaff 2014-09-10 16:52:30 CEST
In light of Bug #35836 it might also be worth considering fixing this bug as well.
Comment 4 Michael Grandjean univentionstaff 2014-09-10 21:06:24 CEST
*** Bug 35588 has been marked as a duplicate of this bug. ***
Comment 5 Stefan Gohmann univentionstaff 2014-10-15 10:59:54 CEST
Please fix it together with Bug #35836.
Comment 6 Felix Botner univentionstaff 2014-10-15 14:28:23 CEST
added ssl/default/bits and changed default to 2048

YAML: 2014-10-15-univention-ssl.yaml
Comment 7 Sönke Schwardt-Krummrich univentionstaff 2014-10-15 15:39:56 CEST
*** Bug 36176 has been marked as a duplicate of this bug. ***
Comment 8 Philipp Hahn univentionstaff 2014-10-23 09:59:12 CEST
OK: r54453

RFC: openssl.cnf
   [CA_default] default_md=sha1
   [req] default_bits=1024
  This file is unused, as a file with the same name is generated by make-certificates.sh each time. IMHO it should be removed from the source code to reduce further confusion.

RFA: 2014-10-15-univention-ssl.yaml
  The default key size has been changed to 2048 [+bits+]
  (configurable via [+UCR variable+] ssl/default/bits)

  IMHO "bits" is too generic; perhaps "keysize"?

FYI: Description[de]: 'Default' is a German word since 2006: <http://www.duden.de/rechtschreibung/Default>

OK: annouce_errata -V 2014-10-15-univention-ssl.yaml

OK:
 /usr/sbin/univention-certificate new -name test -days 365
 openssl x509 -noout -text -in /etc/univention/ssl/test/cert.pem
             RSA Public Key: (2048 bit)
Comment 9 Felix Botner univentionstaff 2014-10-29 14:38:04 CET
(In reply to Philipp Hahn from comment #8)
> OK: r54453
> 
> RFC: openssl.cnf
>    [CA_default] default_md=sha1
>    [req] default_bits=1024
>   This file is unused, as a file with the same name is generated by
> make-certificates.sh each time. IMHO it should be removed from the source
> code to reduce further confusion.

removed 

> 
> RFA: 2014-10-15-univention-ssl.yaml
>   The default key size has been changed to 2048 [+bits+]
>   (configurable via [+UCR variable+] ssl/default/bits)
> 
>   IMHO "bits" is too generic; perhaps "keysize"?
> 
> FYI: Description[de]: 'Default' is a German word since 2006:
> <http://www.duden.de/rechtschreibung/Default>

fixed,

YAML updated, see 2014-10-15-univention-ssl.yaml

Merged to 4.0-
Comment 10 Philipp Hahn univentionstaff 2014-10-29 18:19:49 CET
OK: UCS-3.2-3: r55085,r55095,r55098
OK: UCS-4.0-0: r55055,r55086,r55096,r55099
OK: openssl.cnf removed
OK: ucr info ssl/default/bits
OK: annouce_errata -V 2014-10-15-univention-ssl.yaml
OK: piuparts-test 2014-10-15-univention-ssl.yaml
OK: RSA Public Key: (2048 bit)
OK: Signature Algorithm: sha1WithRSAEncryption
OK: UCS-4.0-0 merge
Comment 11 Janek Walkenhorst univentionstaff 2014-10-30 14:11:40 CET
http://errata.univention.de/ucs/3.2/227.html