Bug 15576

Summary: rpm-helper creates 1024-bit SSL certificates
Product: Mageia Reporter: David Walser <luigiwalser>
Component: RPM PackagesAssignee: Colin Guthrie <mageia>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: rpm-helper-0.24.16-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-03-26 23:46:07 CET 
The script /usr/share/rpm-helper/create-ssl-certificate (and associated configuration file /etc/sysconfig/ssl) from rpm-helper is used for creating SSL certificates for services for most of our packages that support SSL.

As the major browser vendors are in the process of dropping support for 1024-bit certificates, and will continue with that over the coming months, it makes no sense for our packages to still be generating certificates with that short a key-length by default.  We *really* need to change this to 2048.

Reproducible: 

Steps to Reproduce:
Comment 1 Colin Guthrie 2015-03-27 11:08:04 CET 
I'm not really comfortable changing this as I'm not super clued up here.

Is it safe to just change the 1024 in that file to 2048? Does everything that uses SSL definitely work with these longer certs (do we have to test everything that calls this?)

If it's just a matter of changing this, then please feel free to make the change in git and push it and I'll roll a release etc. (although you can actually do it all yourself if you like - including the push as it's exempt from freeze).

Should just be a matter of changing those two files (git grep -l KEY_LENGTH) I guess?
Comment 2 David Walser 2015-03-27 13:10:37 CET 
Changing to 2048 is not going to break anything.  Sticking with 1024 will start breaking things, at the very least with httpd as those certs simply won't be accepted anymore.

I haven't done any git stuff, so I'm not up to speed on that yet.

AFAIK, fixing this should be a matter of just changing the KEY_LENGTH= in both of those files.
Comment 3 David Walser 2015-04-01 16:35:43 CEST 
It would really be best to fix this before the release, so that new installations get their certs created with a usable key length.  It's more difficult to regenerate them later.

If you for some reason still question the validity of increasing the length, maybe noting that certutil in NSS made the same change will help:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18_release_notes
Comment 4 Colin Guthrie 2015-04-01 17:54:44 CEST 
Yeah, sorry. I was going to give you git instructions to do it yourself but forgot :(

I'll do the commit if you like but can I attribute it to yourself? That way you take the blame/credit? :D
Comment 5 David Walser 2015-04-01 17:59:04 CEST 
(In reply to Colin Guthrie from comment #4)
> Yeah, sorry. I was going to give you git instructions to do it yourself but
> forgot :(

This would be good to have, but it can wait until we get through this release.

> I'll do the commit if you like but can I attribute it to yourself? That way
> you take the blame/credit? :D

Yes, please.  Thank you :o)
Comment 6 Mageia Robot 2015-04-01 18:27:57 CEST 
commit 971938e7043cbbc877039cb75009033cc0bc967f
Author: David Walser <luigiwalser@...>
Date:   Wed Apr 1 17:25:15 2015 +0100

    ssl: Change default key length to 2048.
    
    Various browsers and other clients are dropping support for 1024-SSL
    certificates so we should not generate them by default.
    
    mga#15576
---
 Commit Link:
   http://gitweb.mageia.org/software/rpm/rpm-helper/commit/?id=971938e7043cbbc877039cb75009033cc0bc967f
Comment 7 Colin Guthrie 2015-04-01 18:35:03 CEST 
Please check the commit - although it's released already! If I've cocked it up, I'll add a git note to pin the blame to me :)

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 8 David Walser 2015-04-01 18:39:55 CEST 
LOL, the commit looked good.  Thanks Colin, and thanks also to Thomas Spuhler for bringing this issue to my attention.