Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Elliptic Curve Crypto is disabled in OpenSSL|
|Product:||[Fedora] Fedora||Reporter:||Alex Smirnoff <ark>|
|Component:||ca-certificates||Assignee:||Joe Orton <jorton>|
|Status:||CLOSED DUPLICATE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||15||CC:||bernie+fedora, cbm, daniel.black, fweimer, jorton, notting, pbrobinson, tmraz, wendellcraigbaker, zxvdr.au|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-02-08 14:06:07 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Alex Smirnoff 2010-07-07 13:43:43 EDT
Description of problem: Elliptic curve crypto disabled in OpenSSL despite the fact there are active EC roots (and some ECC root CAs are even included in fc13 certificate bundle) Version-Release number of selected component (if applicable): 1.0.0a How reproducible: Always Steps to Reproduce: 1. Search for ECC certificates in /etc/pki/tls/cert.pem Actual results: Certificate: Data: Version: 3 (0x2) Serial Number: 1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a Signature Algorithm: ecdsa-with-SHA384 Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority Validity Not Before: Mar 6 00:00:00 2008 GMT Not After : Jan 18 23:59:59 2038 GMT Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Unable to load Public Key 4154771164:error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239: 4154771164:error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported algorithm:x_pubkey.c:155: Expected results: ECC key type gets correctly recognized Additional info: OpenSSL API, ABI and command line utilities expose similar problem. RHEL is affected as well.
Comment 1 Tomas Mraz 2010-07-07 16:42:36 EDT
Unfortunately we can't include it due to patent concerns. The ECC certificates should be probably removed from the bundle.
Comment 2 Alex Smirnoff 2010-07-07 17:03:32 EDT
(In reply to comment #1) > Unfortunately we can't include it due to patent concerns. > > The ECC certificates should be probably removed from the bundle. Could you please provide the more specific list? OpenSSL homepage does not mention patent restrictions besides IDEA, RC5 and MDC2: http://www.openssl.org/support/faq.html#LEGAL1 ..nor does OpenSSL README.
Comment 3 Tomas Mraz 2010-07-07 19:11:11 EDT
I am sorry but I cannot. I do not have any list of the patent numbers. This is just a decision of Red Hat Legal that we cannot include it.
Comment 4 Joe Orton 2010-07-08 03:57:11 EDT
Does including the ECC roots actually cause any problem? (other than the cosmetic issue of the -text dump in ca-bundle.crt containing an error message)
Comment 5 Bernie Innocenti 2011-04-28 22:21:46 EDT
FYI, bitcoin also requires ec-dsa. Also FYI, the Elliptic Curve algorithms are enabled in the openssl package shipped by Ubuntu and Debian.
Comment 6 Bernie Innocenti 2011-04-29 00:37:00 EDT
In case anyone else needs it, I've published an Elliptic Curve crypto enabled openssl package: http://codewiz.org/pub/fedora/x86_64/os/openssl-1.0.0d-2.bernie1.fc16.x86_64.rpm http://codewiz.org/pub/fedora/source/openssl-1.0.0d-2.bernie1.fc16.src.rpm
Comment 7 Bug Zapper 2011-06-01 10:31:03 EDT
This message is a reminder that Fedora 13 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '13'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 13's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 13 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 8 Bernie Innocenti 2011-06-02 01:10:29 EDT
Elliptic curve is still absent in present versions of Fedora.
Comment 9 Bernie Innocenti 2011-06-02 01:25:24 EDT
Some information about the alleged patents covering ECC: http://en.wikipedia.org/wiki/ECC_patents I was told the last one of the patents covering ECC will expire in 2012, but I can't find a reliable source confirming it. Meanwhile, D. J. Bernstein thinks that ECDSA and ECDH can be *already* implemented without infringing: http://cr.yp.to/ecdh/patents.html Can anyone provide conclusive information?
Comment 10 Tomas Mraz 2011-06-02 04:36:24 EDT
I do not think this is the right place to discuss eventual patent matters. This must be discussed with Fedora legal.
Comment 11 Bernie Innocenti 2011-06-02 17:33:25 EDT
(In reply to comment #10) > I do not think this is the right place to discuss eventual patent matters. This > must be discussed with Fedora legal. I've asked on the legal list.
Comment 12 Peter Robinson 2011-11-28 16:20:38 EST
(In reply to comment #10) > I do not think this is the right place to discuss eventual patent matters. This > must be discussed with Fedora legal. You need to block the FE-LEGAL blocker bug to get a response from Fedora legal so they're aware of it. Bug history tells me this hasn't. Now added!