Bug 1046519

Summary: SHA256 should be used instead SHA1
Product: [Fedora] Fedora Reporter: Harald Reindl <h.reindl>
Component: easy-rsaAssignee: Gwyn Ciesla <gwync>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: gwync
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: easy-rsa-2.2.2-1.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-04 06:44:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch for pkitool none

Description Harald Reindl 2013-12-26 01:41:36 UTC 
i am not really happy with the recently new created certificates for OpenVPN

Signature Algorithm: sha1WithRSAEncryption
Public-Key: (3072 bit)

SHA1 should no longer be used for new created certificates anywhere
http://www.digicert.com/sha-2-ssl-certificates.htm
Comment 1 Harald Reindl 2014-02-16 15:45:36 UTC 
Created attachment 863750 [details]
patch for pkitool

Attached a patch for "pkitool"

"vars" needs a addtionoal line for the new config-parameter
export HASH_ALGO=sha256

additionally i fixed a hardcoded rsa:1024 with rsa:$KEY_SIZE
________________________________________

after that new certs are looking much more state of the art

[root@localhost:/etc/openvpn/]$ openssl x509 -in client.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=AT, ST=Vienna, L=Vienna, O=*****, CN=***** CA/emailAddress=*****
        Validity
            Not Before: Feb 16 15:23:22 2014 GMT
            Not After : Feb 14 15:23:22 2024 GMT
        Subject: C=AT, ST=Vienna, L=Vienna, O=*****, CN=client/emailAddress=*****
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
Comment 2 Gwyn Ciesla 2014-02-19 18:59:55 UTC 
I've just updated to 2.2.2 in rawhide, and it looks like they're made some changes, including defaulting to sha256.  Can you verify?

If it looks good, I'll push it to all branches.
Comment 3 Harald Reindl 2014-02-19 19:12:51 UTC 
please provide a scratch-build for F19 since the only environment currently using openvpn/easy-rsa here is F19, in that case i can easily verify it by generate new certificates for my "personal" openvpn-instance (any home office here as a own vpn-service on a dedicated port with own keys and a sepearte one for roadrunners)
Comment 4 Gwyn Ciesla 2014-02-19 19:19:29 UTC 
http://koji.fedoraproject.org/koji/taskinfo?taskID=6548717
Comment 5 Harald Reindl 2014-02-19 19:21:46 UTC 
i will give it a try tomorrow, currently sitting at home and breaking openvpn make sno fun in case the primary DNS is on the other end 

i won't not only test how the certificates are generated 
my goal is to set them in production with OpenVPN

from time to time a key change improves security anyways :-)
Comment 6 Harald Reindl 2014-02-20 12:40:06 UTC 
confirmed and in use

[root@localhost:/etc/openvpn]$ rpm -q easy-rsa
easy-rsa-2.2.2-1.fc19.noarch

[root@localhost:/etc/openvpn]$ cat client.crt | grep bit
                Public-Key: (4096 bit)

[root@localhost:/etc/openvpn]$ cat client.crt | grep -i alg
    Signature Algorithm: sha256WithRSAEncryption
            Public Key Algorithm: rsaEncryption
    Signature Algorithm: sha256WithRSAEncryption
Comment 7 Gwyn Ciesla 2014-02-20 14:07:46 UTC 
Excellent, I'll get this out for every branch.  Thanks!
Comment 8 Fedora Update System 2014-02-20 14:14:30 UTC 
easy-rsa-2.2.2-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/easy-rsa-2.2.2-1.el6
Comment 9 Fedora Update System 2014-02-20 14:14:43 UTC 
easy-rsa-2.2.2-1.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/easy-rsa-2.2.2-1.el5
Comment 10 Fedora Update System 2014-02-20 14:15:11 UTC 
easy-rsa-2.2.2-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/easy-rsa-2.2.2-1.fc20
Comment 11 Fedora Update System 2014-02-20 14:15:28 UTC 
easy-rsa-2.2.2-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/easy-rsa-2.2.2-1.fc19
Comment 12 Fedora Update System 2014-02-22 00:44:38 UTC 
Package easy-rsa-2.2.2-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing easy-rsa-2.2.2-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2804/easy-rsa-2.2.2-1.fc20
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2014-03-04 06:44:07 UTC 
easy-rsa-2.2.2-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2014-03-04 06:44:52 UTC 
easy-rsa-2.2.2-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2014-03-10 19:11:42 UTC 
easy-rsa-2.2.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2014-03-10 19:12:42 UTC 
easy-rsa-2.2.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.