Author Topic: CA Certificate still 1024-bit?  (Read 3030 times)

jbo5112

  • Zen Apprentice
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
CA Certificate still 1024-bit?
« on: April 03, 2013, 12:54:56 am »
Am I looking at (or doing) something wrong, or is the CA Certificate still 1024-bit in Zentyal 3.0?

I posted something about this being a security issue with version 2.2, and was told the size was being increased with the next version.  I patched the CA.pm file (/usr/share/perl5/EBox/CA.pm) with a single line of code (between 2070 and 2071), and it's now generating all rsa-4096 certificates (until the file reverts).  If it really is still 1024-bit, It would be nice if some fix would make it into the official code and get rolled out with the next update of the web-ui.

I forget how to generate an actual patch.  This should be close enough for a human, but if someone wants it, I'll do the work for a real patch file.
Code: [Select]
         $cmd .= qq{-keyout '$args{privKey}' };
+        $cmd .= ' -newkey rsa:4096 ';
         if (defined($args{keyPassword})) {

gzen

  • Zen Apprentice
  • *
  • Posts: 14
  • Karma: +2/-0
    • View Profile
Re: CA Certificate still 1024-bit?
« Reply #1 on: February 07, 2014, 02:31:53 am »
jbo5112, I find to hard to believe that too, I'm running the latest 3.3.4 and facing the same issue.  don't seem to find the lines you mention in /usr/share/perl5/EBox/CA.pm, any help would highly appreciate.

christian

  • Guest
Re: CA Certificate still 1024-bit?
« Reply #2 on: February 07, 2014, 08:26:49 am »
I also wonder why such simple improvement is not taken in account.
I assume it breaks something somewhere because this is so easy...
Walking though Zentyal features, you may find other similar "little things" that are done by users here and there manually and not taken in account by Zentyal  ::)

On my side, e.g.
- some DHCP options
- rsync syntax for backup

gzen

  • Zen Apprentice
  • *
  • Posts: 14
  • Karma: +2/-0
    • View Profile
Re: CA Certificate still 1024-bit?
« Reply #3 on: February 07, 2014, 05:45:09 pm »
latest browser such as IE11 already blocks certs with bit length 1024 and less. I also came cross many posts here reporting the VPN issue with certs 1024 bit. 

sixstone

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1417
  • Karma: +26/-0
    • View Profile
    • Sixstone's blog
Re: CA Certificate still 1024-bit?
« Reply #4 on: April 03, 2014, 05:06:40 pm »
Hello,

You can follow the security issue at https://tracker.zentyal.org/issues/545.

Thanks for your feedback!
My secret is my silence...

toolman1967

  • Zen Apprentice
  • *
  • Posts: 25
  • Karma: +1/-0
    • View Profile
Re: CA Certificate still 1024-bit?
« Reply #5 on: April 12, 2014, 05:56:17 am »
Am I looking at (or doing) something wrong, or is the CA Certificate still 1024-bit in Zentyal 3.0?

I posted something about this being a security issue with version 2.2, and was told the size was being increased with the next version.  I patched the CA.pm file (/usr/share/perl5/EBox/CA.pm) with a single line of code (between 2070 and 2071), and it's now generating all rsa-4096 certificates (until the file reverts).  If it really is still 1024-bit, It would be nice if some fix would make it into the official code and get rolled out with the next update of the web-ui.

I forget how to generate an actual patch.  This should be close enough for a human, but if someone wants it, I'll do the work for a real patch file.
Code: [Select]
         $cmd .= qq{-keyout '$args{privKey}' };
+        $cmd .= ' -newkey rsa:4096 ';
         if (defined($args{keyPassword})) {

I was looking around and found that Zentyal uses a config file called openssl.cnf which has the default bit set to 1024.  I went in modified the file and set default bit to 4096 and revoked and re-created the certs, enabled the web to use the cert and the web services would not restart. So I changed it to 2048 and the web services was able to start.  The file is located in /var/lib/zentyal/conf/openssl.cnf line 103. It could still be over written by any updates that Zentyal puts out.

Toolman

sixstone

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1417
  • Karma: +26/-0
    • View Profile
    • Sixstone's blog
Re: CA Certificate still 1024-bit?
« Reply #6 on: June 28, 2014, 12:34:05 am »
Hello,

This was finally addressed and fixed for 3.5 release: https://github.com/Zentyal/zentyal/pull/1409.

Thanks very much for your patience.

Best,
My secret is my silence...