i am not really happy with the recently new created certificates for OpenVPN Signature Algorithm: sha1WithRSAEncryption Public-Key: (3072 bit) SHA1 should no longer be used for new created certificates anywhere http://www.digicert.com/sha-2-ssl-certificates.htm
Created attachment 863750 [details] patch for pkitool Attached a patch for "pkitool" "vars" needs a addtionoal line for the new config-parameter export HASH_ALGO=sha256 additionally i fixed a hardcoded rsa:1024 with rsa:$KEY_SIZE ________________________________________ after that new certs are looking much more state of the art [root@localhost:/etc/openvpn/]$ openssl x509 -in client.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: C=AT, ST=Vienna, L=Vienna, O=*****, CN=***** CA/emailAddress=***** Validity Not Before: Feb 16 15:23:22 2014 GMT Not After : Feb 14 15:23:22 2024 GMT Subject: C=AT, ST=Vienna, L=Vienna, O=*****, CN=client/emailAddress=***** Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit)
I've just updated to 2.2.2 in rawhide, and it looks like they're made some changes, including defaulting to sha256. Can you verify? If it looks good, I'll push it to all branches.
please provide a scratch-build for F19 since the only environment currently using openvpn/easy-rsa here is F19, in that case i can easily verify it by generate new certificates for my "personal" openvpn-instance (any home office here as a own vpn-service on a dedicated port with own keys and a sepearte one for roadrunners)
http://koji.fedoraproject.org/koji/taskinfo?taskID=6548717
i will give it a try tomorrow, currently sitting at home and breaking openvpn make sno fun in case the primary DNS is on the other end i won't not only test how the certificates are generated my goal is to set them in production with OpenVPN from time to time a key change improves security anyways :-)
confirmed and in use [root@localhost:/etc/openvpn]$ rpm -q easy-rsa easy-rsa-2.2.2-1.fc19.noarch [root@localhost:/etc/openvpn]$ cat client.crt | grep bit Public-Key: (4096 bit) [root@localhost:/etc/openvpn]$ cat client.crt | grep -i alg Signature Algorithm: sha256WithRSAEncryption Public Key Algorithm: rsaEncryption Signature Algorithm: sha256WithRSAEncryption
Excellent, I'll get this out for every branch. Thanks!
easy-rsa-2.2.2-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/easy-rsa-2.2.2-1.el6
easy-rsa-2.2.2-1.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/easy-rsa-2.2.2-1.el5
easy-rsa-2.2.2-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/easy-rsa-2.2.2-1.fc20
easy-rsa-2.2.2-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/easy-rsa-2.2.2-1.fc19
Package easy-rsa-2.2.2-1.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing easy-rsa-2.2.2-1.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2804/easy-rsa-2.2.2-1.fc20 then log in and leave karma (feedback).
easy-rsa-2.2.2-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
easy-rsa-2.2.2-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
easy-rsa-2.2.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
easy-rsa-2.2.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.