Bug 27359

Summary: Updated crypto policy requires longer key so create-ssl-certificate helper script needs updating
Product: Mageia Reporter: Barry Jackson <zen25000>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: herman.viaene, luigiwalser, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: rpm-helper-0.24.17-5.mga7.noarch CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 27358    

Description Barry Jackson 2020-10-04 17:48:05 CEST 
Description of problem:
After a recent update to some *ssl* packages in Mga7 my server stopped running httpd:
[ssl:emerg] [pid 17516] SSL Library Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
AH00016: Configuration Failed

The fix (thanks to Luigi12) was to increase the key length to 4096.

For anyone in this situation the exact procedure was as follows:-

1. Edit /etc/sysconfig/ssl to read:

KEY_LENGTH=4096

(was 2048)

2. Delete /etc/pki/tls/certs/httpd.pem
   Delete /etc/pki/tls/private/httpd.pem

3. Run:
   /usr/share/rpm-helper/create-ssl-certificate apache 1 httpd

4  Reboot

The 2048 is hard coded into the script, so without the edit to /etc/sysconfig/ssl the script would fail to increase the length.

The script needs updating in the rpm-helper package which needs admin access to update, apparently.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
Jani Välimaa 2020-10-04 18:39:07 CEST

Component: Others => RPM Packages
Assignee: sysadmin-bugs => bugsquad
CC: sysadmin-bugs => (none)
Product: Infrastructure => Mageia
Version: unspecified => 7

Comment 1 David Walser 2020-10-04 18:40:02 CEST 
I'm guessing the sources for rpm-helper are in Mageia git, so we'll need a Mageia developer to update it.

CC: (none) => luigiwalser
Version: 7 => Cauldron
Assignee: bugsquad => mageiatools
Whiteboard: (none) => MGA7TOO

Comment 2 David Walser 2020-10-04 18:40:33 CEST 
We should add a blurb about this in the Mageia Release Notes too.
Comment 3 David Walser 2020-10-04 22:52:23 CEST 
Update rpm-helper-0.24.17-5.1.mga7 uploaded by Jani, fixing this.

Assignee: mageiatools => qa-bugs
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 4 David Walser 2020-10-04 22:59:47 CEST 
Advisory:
--------

The updated crypto-policies from the Firefox ESR 78 update no longer accept
SSL private keys with a key length less than 4096.  The rpm-helper package
generated keys with a length of 2048.

If you had previously edited the /etc/sysconfig/ssl file, you will need to
update the KEY_LENGTH value to 4096 as this update does, and generate new keys
and certificates.

For example, to generate a new private key and certificate for the Apache web
server, run the following commands as root:

rm -f /etc/pki/tls/private/httpd.pem /etc/pki/tls/certs/httpd.pem
/usr/share/rpm-helper/create-ssl-certificate apache 1 httpd
Comment 5 Herman Viaene 2020-10-05 14:03:49 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Checked the file /etc/sysconfig/ssl, it has the value 4096 now.
But what this is really all about, I haven't a clue. I have a webserver running ommy desktop PC and that neer gave a problem(since I do not mingle with keys). Anyway, this server remains accessible from this laptop after the update,
Leaving for someone else to do a sensible test.

CC: (none) => herman.viaene

Comment 6 David Walser 2020-10-05 14:59:47 CEST 
Herman, have you restarted your web server since the update?  That's when Barry saw the problem.
Comment 7 Herman Viaene 2020-10-05 15:38:23 CEST 
No, because the update has not been applied to that desktop PC, just to my testing laptop installation.
Aurelien Oudelet 2020-10-05 15:57:51 CEST

Blocks: (none) => 27358

Comment 8 Aurelien Oudelet 2020-10-23 11:36:12 CEST 
What about this update?

CC: (none) => ouaurelien

Comment 9 David Walser 2020-10-23 13:06:02 CEST 
It is a very simple change, please validate it.
Comment 10 Aurelien Oudelet 2020-10-23 13:20:22 CEST 
Advisory pushed to SVN.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisory, validated_update

Comment 11 Mageia Robot 2020-10-24 19:52:57 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2020-0217.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED