The script /usr/share/rpm-helper/create-ssl-certificate (and associated configuration file /etc/sysconfig/ssl) from rpm-helper is used for creating SSL certificates for services for most of our packages that support SSL. As the major browser vendors are in the process of dropping support for 1024-bit certificates, and will continue with that over the coming months, it makes no sense for our packages to still be generating certificates with that short a key-length by default. We *really* need to change this to 2048. Reproducible: Steps to Reproduce:
I'm not really comfortable changing this as I'm not super clued up here. Is it safe to just change the 1024 in that file to 2048? Does everything that uses SSL definitely work with these longer certs (do we have to test everything that calls this?) If it's just a matter of changing this, then please feel free to make the change in git and push it and I'll roll a release etc. (although you can actually do it all yourself if you like - including the push as it's exempt from freeze). Should just be a matter of changing those two files (git grep -l KEY_LENGTH) I guess?
Changing to 2048 is not going to break anything. Sticking with 1024 will start breaking things, at the very least with httpd as those certs simply won't be accepted anymore. I haven't done any git stuff, so I'm not up to speed on that yet. AFAIK, fixing this should be a matter of just changing the KEY_LENGTH= in both of those files.
It would really be best to fix this before the release, so that new installations get their certs created with a usable key length. It's more difficult to regenerate them later. If you for some reason still question the validity of increasing the length, maybe noting that certutil in NSS made the same change will help: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18_release_notes
Yeah, sorry. I was going to give you git instructions to do it yourself but forgot :( I'll do the commit if you like but can I attribute it to yourself? That way you take the blame/credit? :D
(In reply to Colin Guthrie from comment #4) > Yeah, sorry. I was going to give you git instructions to do it yourself but > forgot :( This would be good to have, but it can wait until we get through this release. > I'll do the commit if you like but can I attribute it to yourself? That way > you take the blame/credit? :D Yes, please. Thank you :o)
commit 971938e7043cbbc877039cb75009033cc0bc967f Author: David Walser <luigiwalser@...> Date: Wed Apr 1 17:25:15 2015 +0100 ssl: Change default key length to 2048. Various browsers and other clients are dropping support for 1024-SSL certificates so we should not generate them by default. mga#15576 --- Commit Link: http://gitweb.mageia.org/software/rpm/rpm-helper/commit/?id=971938e7043cbbc877039cb75009033cc0bc967f
Please check the commit - although it's released already! If I've cocked it up, I'll add a git note to pin the blame to me :)
Status: NEW => RESOLVEDResolution: (none) => FIXED
LOL, the commit looked good. Thanks Colin, and thanks also to Thomas Spuhler for bringing this issue to my attention.