Univention Bugzilla – Full Text Bug Listing |
Summary: | univention-certificate - defaults bits for key should be configurable | ||
---|---|---|---|
Product: | UCS | Reporter: | Stephan Hendl <stephan.hendl> |
Component: | SSL | Assignee: | Felix Botner <botner> |
Status: | CLOSED FIXED | QA Contact: | Philipp Hahn <hahn> |
Severity: | enhancement | ||
Priority: | P5 | CC: | andree.hingst, ebersbach, gohmann, grandjean, schwardt, walkenhorst |
Version: | UCS 3.1 | ||
Target Milestone: | UCS 3.2-3-errata | ||
Hardware: | Other | ||
OS: | Windows 7 | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Attachments: | Increase certificate length to 2048 bit |
Description
Stephan Hendl
2013-02-22 08:03:08 CET
Same issue here, certificate authorities will not sign keys shorter than 2048 bits! Created attachment 5229 [details]
Increase certificate length to 2048 bit
Attention, after applying the patch, CA and certificates need to be recreated!
In light of Bug #35836 it might also be worth considering fixing this bug as well. *** Bug 35588 has been marked as a duplicate of this bug. *** Please fix it together with Bug #35836. added ssl/default/bits and changed default to 2048 YAML: 2014-10-15-univention-ssl.yaml *** Bug 36176 has been marked as a duplicate of this bug. *** OK: r54453 RFC: openssl.cnf [CA_default] default_md=sha1 [req] default_bits=1024 This file is unused, as a file with the same name is generated by make-certificates.sh each time. IMHO it should be removed from the source code to reduce further confusion. RFA: 2014-10-15-univention-ssl.yaml The default key size has been changed to 2048 [+bits+] (configurable via [+UCR variable+] ssl/default/bits) IMHO "bits" is too generic; perhaps "keysize"? FYI: Description[de]: 'Default' is a German word since 2006: <http://www.duden.de/rechtschreibung/Default> OK: annouce_errata -V 2014-10-15-univention-ssl.yaml OK: /usr/sbin/univention-certificate new -name test -days 365 openssl x509 -noout -text -in /etc/univention/ssl/test/cert.pem RSA Public Key: (2048 bit) (In reply to Philipp Hahn from comment #8) > OK: r54453 > > RFC: openssl.cnf > [CA_default] default_md=sha1 > [req] default_bits=1024 > This file is unused, as a file with the same name is generated by > make-certificates.sh each time. IMHO it should be removed from the source > code to reduce further confusion. removed > > RFA: 2014-10-15-univention-ssl.yaml > The default key size has been changed to 2048 [+bits+] > (configurable via [+UCR variable+] ssl/default/bits) > > IMHO "bits" is too generic; perhaps "keysize"? > > FYI: Description[de]: 'Default' is a German word since 2006: > <http://www.duden.de/rechtschreibung/Default> fixed, YAML updated, see 2014-10-15-univention-ssl.yaml Merged to 4.0- OK: UCS-3.2-3: r55085,r55095,r55098 OK: UCS-4.0-0: r55055,r55086,r55096,r55099 OK: openssl.cnf removed OK: ucr info ssl/default/bits OK: annouce_errata -V 2014-10-15-univention-ssl.yaml OK: piuparts-test 2014-10-15-univention-ssl.yaml OK: RSA Public Key: (2048 bit) OK: Signature Algorithm: sha1WithRSAEncryption OK: UCS-4.0-0 merge |