Bug 1046519 - SHA256 should be used instead SHA1
Summary: SHA256 should be used instead SHA1
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: easy-rsa
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-26 01:41 UTC by Harald Reindl
Modified: 2014-03-10 19:12 UTC (History)
1 user (show)

Fixed In Version: easy-rsa-2.2.2-1.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-04 06:44:07 UTC


Attachments (Terms of Use)
patch for pkitool (1.50 KB, patch)
2014-02-16 15:45 UTC, Harald Reindl
no flags Details | Diff

Description Harald Reindl 2013-12-26 01:41:36 UTC
i am not really happy with the recently new created certificates for OpenVPN

Signature Algorithm: sha1WithRSAEncryption
Public-Key: (3072 bit)

SHA1 should no longer be used for new created certificates anywhere
http://www.digicert.com/sha-2-ssl-certificates.htm

Comment 1 Harald Reindl 2014-02-16 15:45:36 UTC
Created attachment 863750 [details]
patch for pkitool

Attached a patch for "pkitool"

"vars" needs a addtionoal line for the new config-parameter
export HASH_ALGO=sha256

additionally i fixed a hardcoded rsa:1024 with rsa:$KEY_SIZE
________________________________________

after that new certs are looking much more state of the art

[root@localhost:/etc/openvpn/]$ openssl x509 -in client.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=AT, ST=Vienna, L=Vienna, O=*****, CN=***** CA/emailAddress=*****
        Validity
            Not Before: Feb 16 15:23:22 2014 GMT
            Not After : Feb 14 15:23:22 2024 GMT
        Subject: C=AT, ST=Vienna, L=Vienna, O=*****, CN=client/emailAddress=*****
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

Comment 2 Gwyn Ciesla 2014-02-19 18:59:55 UTC
I've just updated to 2.2.2 in rawhide, and it looks like they're made some changes, including defaulting to sha256.  Can you verify?

If it looks good, I'll push it to all branches.

Comment 3 Harald Reindl 2014-02-19 19:12:51 UTC
please provide a scratch-build for F19 since the only environment currently using openvpn/easy-rsa here is F19, in that case i can easily verify it by generate new certificates for my "personal" openvpn-instance (any home office here as a own vpn-service on a dedicated port with own keys and a sepearte one for roadrunners)

Comment 5 Harald Reindl 2014-02-19 19:21:46 UTC
i will give it a try tomorrow, currently sitting at home and breaking openvpn make sno fun in case the primary DNS is on the other end 

i won't not only test how the certificates are generated 
my goal is to set them in production with OpenVPN

from time to time a key change improves security anyways :-)

Comment 6 Harald Reindl 2014-02-20 12:40:06 UTC
confirmed and in use

[root@localhost:/etc/openvpn]$ rpm -q easy-rsa
easy-rsa-2.2.2-1.fc19.noarch

[root@localhost:/etc/openvpn]$ cat client.crt | grep bit
                Public-Key: (4096 bit)

[root@localhost:/etc/openvpn]$ cat client.crt | grep -i alg
    Signature Algorithm: sha256WithRSAEncryption
            Public Key Algorithm: rsaEncryption
    Signature Algorithm: sha256WithRSAEncryption

Comment 7 Gwyn Ciesla 2014-02-20 14:07:46 UTC
Excellent, I'll get this out for every branch.  Thanks!

Comment 8 Fedora Update System 2014-02-20 14:14:30 UTC
easy-rsa-2.2.2-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/easy-rsa-2.2.2-1.el6

Comment 9 Fedora Update System 2014-02-20 14:14:43 UTC
easy-rsa-2.2.2-1.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/easy-rsa-2.2.2-1.el5

Comment 10 Fedora Update System 2014-02-20 14:15:11 UTC
easy-rsa-2.2.2-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/easy-rsa-2.2.2-1.fc20

Comment 11 Fedora Update System 2014-02-20 14:15:28 UTC
easy-rsa-2.2.2-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/easy-rsa-2.2.2-1.fc19

Comment 12 Fedora Update System 2014-02-22 00:44:38 UTC
Package easy-rsa-2.2.2-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing easy-rsa-2.2.2-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2804/easy-rsa-2.2.2-1.fc20
then log in and leave karma (feedback).

Comment 13 Fedora Update System 2014-03-04 06:44:07 UTC
easy-rsa-2.2.2-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2014-03-04 06:44:52 UTC
easy-rsa-2.2.2-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2014-03-10 19:11:42 UTC
easy-rsa-2.2.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2014-03-10 19:12:42 UTC
easy-rsa-2.2.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.