Univention Bugzilla – Full Text Bug Listing |
Summary: | Improve defaults for root certificate private key | ||
---|---|---|---|
Product: | UCS | Reporter: | Michael Grandjean <grandjean> |
Component: | SSL | Assignee: | Bugzilla Mailingliste <bugzilla> |
Status: | CLOSED FIXED | QA Contact: | Janek Walkenhorst <walkenhorst> |
Severity: | enhancement | ||
Priority: | P5 | CC: | gohmann, hahn |
Version: | UCS 4.0 | ||
Target Milestone: | UCS 4.1-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Attachments: | Change key encryption and default bits for root-CA private key |
Created attachment 7176 [details]
Change key encryption and default bits for root-CA private key
(In reply to Michael Grandjean from comment #0) > 2. key length: > 2048 bits might be enough for today, but who knows if that's still the case > in 5 years (default UCS-CA validity) This was implemented through Bug #30545 commit r54455: URCV ssl/default/bits (In reply to Michael Grandjean from comment #0) > 1. key encryption algorithm > I think we should default to '-aes256' instead of '-des3'. As far as I know > there's yet nothing wrong with 3DES except that it is really slow compared > to AES. r70651 | Bug #37621 SSL: Make cipher for root CA configurable > 3. key algorithm Not yet supported; waiting for request by customer. Package: univention-ssl Version: 10.0.0-15.172.201606271746 Branch: ucs_4.1-0 Scope: errata4.1-2 r70655 | Bug #41230,Bug #38903,Bug #37621 SSL: YAML univention-ssl.yaml Code review: OK Tests: OK Advisory: Added description of new default. |
Most of the private key options are hardcoded in make-certificates.sh: > openssl genrsa -des3 -passout pass:"$PASSWD" -out "${CA}/private/CAkey.pem" 2048 It should be possible to configure: 1. key encryption algorithm I think we should default to '-aes256' instead of '-des3'. As far as I know there's yet nothing wrong with 3DES except that it is really slow compared to AES. 2. key length: 2048 bits might be enough for today, but who knows if that's still the case in 5 years (default UCS-CA validity) 3. key algorithm we should consider supporting ECDSA keys (instead of / additionally to RSA) in the near future