Bug 27359 - Updated crypto policy requires longer key so create-ssl-certificate helper script needs updating
Summary: Updated crypto policy requires longer key so create-ssl-certificate helper sc...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 27358
  Show dependency treegraph
 
Reported: 2020-10-04 17:48 CEST by Barry Jackson
Modified: 2020-10-05 15:57 CEST (History)
2 users (show)

See Also:
Source RPM: rpm-helper-0.24.17-5.mga7.noarch
CVE:
Status comment:


Attachments

Description Barry Jackson 2020-10-04 17:48:05 CEST
Description of problem:
After a recent update to some *ssl* packages in Mga7 my server stopped running httpd:
[ssl:emerg] [pid 17516] SSL Library Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
AH00016: Configuration Failed

The fix (thanks to Luigi12) was to increase the key length to 4096.

For anyone in this situation the exact procedure was as follows:-

1. Edit /etc/sysconfig/ssl to read:

KEY_LENGTH=4096

(was 2048)

2. Delete /etc/pki/tls/certs/httpd.pem
   Delete /etc/pki/tls/private/httpd.pem

3. Run:
   /usr/share/rpm-helper/create-ssl-certificate apache 1 httpd

4  Reboot

The 2048 is hard coded into the script, so without the edit to /etc/sysconfig/ssl the script would fail to increase the length.

The script needs updating in the rpm-helper package which needs admin access to update, apparently.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
Jani Välimaa 2020-10-04 18:39:07 CEST

Component: Others => RPM Packages
Version: unspecified => 7
Product: Infrastructure => Mageia
Assignee: sysadmin-bugs => bugsquad
CC: sysadmin-bugs => (none)

Comment 1 David Walser 2020-10-04 18:40:02 CEST
I'm guessing the sources for rpm-helper are in Mageia git, so we'll need a Mageia developer to update it.

Assignee: bugsquad => mageiatools
Version: 7 => Cauldron
CC: (none) => luigiwalser
Whiteboard: (none) => MGA7TOO

Comment 2 David Walser 2020-10-04 18:40:33 CEST
We should add a blurb about this in the Mageia Release Notes too.
Comment 3 David Walser 2020-10-04 22:52:23 CEST
Update rpm-helper-0.24.17-5.1.mga7 uploaded by Jani, fixing this.

Assignee: mageiatools => qa-bugs
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 4 David Walser 2020-10-04 22:59:47 CEST
Advisory:
--------

The updated crypto-policies from the Firefox ESR 78 update no longer accept
SSL private keys with a key length less than 4096.  The rpm-helper package
generated keys with a length of 2048.

If you had previously edited the /etc/sysconfig/ssl file, you will need to
update the KEY_LENGTH value to 4096 as this update does, and generate new keys
and certificates.

For example, to generate a new private key and certificate for the Apache web
server, run the following commands as root:

rm -f /etc/pki/tls/private/httpd.pem /etc/pki/tls/certs/httpd.pem
/usr/share/rpm-helper/create-ssl-certificate apache 1 httpd
Comment 5 Herman Viaene 2020-10-05 14:03:49 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Checked the file /etc/sysconfig/ssl, it has the value 4096 now.
But what this is really all about, I haven't a clue. I have a webserver running ommy desktop PC and that neer gave a problem(since I do not mingle with keys). Anyway, this server remains accessible from this laptop after the update,
Leaving for someone else to do a sensible test.

CC: (none) => herman.viaene

Comment 6 David Walser 2020-10-05 14:59:47 CEST
Herman, have you restarted your web server since the update?  That's when Barry saw the problem.
Comment 7 Herman Viaene 2020-10-05 15:38:23 CEST
No, because the update has not been applied to that desktop PC, just to my testing laptop installation.
Aurelien Oudelet 2020-10-05 15:57:51 CEST

Blocks: (none) => 27358


Note You need to log in before you can comment on or make changes to this bug.