CA Certificate still 1024-bit?

[jbo5112]

Am I looking at (or doing) something wrong, or is the CA Certificate still 1024-bit in Zentyal 3.0?

I posted something about this being a security issue with version 2.2, and was told the size was being increased with the next version.  I patched the CA.pm file (/usr/share/perl5/EBox/CA.pm) with a single line of code (between 2070 and 2071), and it's now generating all rsa-4096 certificates (until the file reverts).  If it really is still 1024-bit, It would be nice if some fix would make it into the official code and get rolled out with the next update of the web-ui.

I forget how to generate an actual patch.  This should be close enough for a human, but if someone wants it, I'll do the work for a real patch file.

Code: [Select]

         $cmd .= qq{-keyout '$args{privKey}' };
+        $cmd .= ' -newkey rsa:4096 ';
         if (defined($args{keyPassword})) {


[gzen]

jbo5112, I find to hard to believe that too, I'm running the latest 3.3.4 and facing the same issue.  don't seem to find the lines you mention in /usr/share/perl5/EBox/CA.pm, any help would highly appreciate.

[christian]

I also wonder why such simple improvement is not taken in account.
I assume it breaks something somewhere because this is so easy...
Walking though Zentyal features, you may find other similar "little things" that are done by users here and there manually and not taken in account by Zentyal 

On my side, e.g.
- some DHCP options
- rsync syntax for backup

[gzen]

latest browser such as IE11 already blocks certs with bit length 1024 and less. I also came cross many posts here reporting the VPN issue with certs 1024 bit. 

[sixstone]

Hello,

You can follow the security issue at https://tracker.zentyal.org/issues/545.

Thanks for your feedback!

[toolman1967]

Am I looking at (or doing) something wrong, or is the CA Certificate still 1024-bit in Zentyal 3.0?

I posted something about this being a security issue with version 2.2, and was told the size was being increased with the next version.  I patched the CA.pm file (/usr/share/perl5/EBox/CA.pm) with a single line of code (between 2070 and 2071), and it's now generating all rsa-4096 certificates (until the file reverts).  If it really is still 1024-bit, It would be nice if some fix would make it into the official code and get rolled out with the next update of the web-ui.

I forget how to generate an actual patch.  This should be close enough for a human, but if someone wants it, I'll do the work for a real patch file.

Code: [Select]

         $cmd .= qq{-keyout '$args{privKey}' };
+        $cmd .= ' -newkey rsa:4096 ';
         if (defined($args{keyPassword})) {


I was looking around and found that Zentyal uses a config file called openssl.cnf which has the default bit set to 1024.  I went in modified the file and set default bit to 4096 and revoked and re-created the certs, enabled the web to use the cert and the web services would not restart. So I changed it to 2048 and the web services was able to start.  The file is located in /var/lib/zentyal/conf/openssl.cnf line 103. It could still be over written by any updates that Zentyal puts out.

Toolman

[sixstone]

Hello,

This was finally addressed and fixed for 3.5 release: https://github.com/Zentyal/zentyal/pull/1409.

Thanks very much for your patience.

Best,