1901486 – Release notes should mention fixes for older systems impacted by security tightening in F33

Bug 1901486 - Release notes should mention fixes for older systems impacted by security tightening in F33

Summary: Release notes should mention fixes for older systems impacted by security tig...

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora Documentation
Classification:	Retired
Component:	release-notes
Sub Component:
Version:	devel
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Petr Bokoc
QA Contact:	Fedora Docs QA
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-11-25 11:49 UTC by Russell Odom
Modified:	2024-05-21 09:23 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-05-21 09:23:37 UTC
Embargoed:

Attachments	(Terms of Use)

Description Russell Odom 2020-11-25 11:49:01 UTC

Description of problem:

On booting my system after upgrade from F31 to F33, neither httpd nor dovecot would start. This system is quite an old one that's been upgraded through many versions of Fedora. This appears to be a result of "Strong Crypto Settings - Phase 2" mentioned on https://docs.fedoraproject.org/en-US/fedora/f33/release-notes/sysadmin/Security/

The relevant errors were:

* Apache (/var/log/httpd/error_log):
[Mon Nov 23 11:44:11.517501 2020] [ssl:emerg] [pid 13680:tid 13680] AH02562: Failed to configure certificate gigalith.gloomytrousers.co.uk:443:0 (with chain), check /etc/pki/tls/certs/localhost.crt
[Mon Nov 23 11:44:11.517525 2020] [ssl:emerg] [pid 13680:tid 13680] SSL Library Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small

This cert was 1024 bit, first generated in 2010. The fix was to remove /etc/pki/tls/certs/localhost.crt and /etc/pki/tls/private/localhost.key then run  /usr/libexec/httpd-ssl-gencerts.


* Dovecot (journal):
Nov 23 12:35:27 gigalith.gloomytrousers.co.uk dovecot[31160]: config: Warning: please set ssl_dh=</etc/dovecot/dh.pem
Nov 23 12:35:27 gigalith.gloomytrousers.co.uk dovecot[31160]: config: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem

/etc/dovecot/dh.pem was present, dating from from 2013. The recommended fix did NOT work (I recall having run this in the past) - it just generated an identical file. The actual fix (stumbled across in bug 1882939) was to regenerate the DH params with `openssl dhparam -out /etc/dovecot/dh.pem 4096` (this took 32 mins on my machine!)


I suspect Exim might also have similar problems for some people, although I didn't have a problem (my cert was 2048 bit from 2010, although I think I generated this in a non-default way at the time). The fix in this case would be to remove /etc/pki/tls/certs/exim.pem and /etc/pki/tls/private/exim.pem then run /usr/libexec/exim-gen-cert.


I suggest these workarounds which might be required for older systems be documented on https://docs.fedoraproject.org/en-US/fedora/f33/release-notes/sysadmin/Security/ - along with anything else that might suffer from similar issues.

Comment 1 Petr Bokoc 2024-05-21 09:23:37 UTC

This guide has been retired, therefore I'm closing this bug. 

If you would like to report Fedora docs bugs in the future, please use the "bug" icon on the top right of the affected page, it will take you directly to the appropriate issue tracker.

Note You need to log in before you can comment on or make changes to this bug.