Bug 484101 - Makefile for generating keys and certificates specifies less than the recommended number of bits
Makefile for generating keys and certificates specifies less than the recomme...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: openssl (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-04 14:30 EST by Mark Harig
Modified: 2009-07-03 10:01 EDT (History)
1 user (show)

See Also:
Fixed In Version: openssl-0.9.8k-6.fc12
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 745410 (view as bug list)
Environment:
Last Closed: 2009-07-03 10:01:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark Harig 2009-02-04 14:30:00 EST
Description of problem:
The file /etc/pki/tls/certs/Makefile specifies 1024 bits when generating the targets '%.pem' and '%.key', instead of the recommended minimum 2048 bits.

Version-Release number of selected component (if applicable):
$ rpm -qf /etc/pki/tls/certs/Makefile
openssl-0.9.8g-12.fc10.x86_64

How reproducible:
"Always."

Steps to Reproduce:
1. grep 1024 /etc/pki/tls/certs/Makefile
2.
3.
  
Actual results:
        /usr/bin/openssl req $(UTF8) -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
        /usr/bin/openssl genrsa -des3 1024 > $@

Expected results:
        /usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
        /usr/bin/openssl genrsa -des3 2048 > $@

Additional info:
The recommended number of bits to be used when generating .pem and .key files is described in the OpenSSL document here:

http://www.openssl.org/docs/HOWTO/keys.txt

"The number 2048 is the size of the key, in bits.  Today, 2048 or
higher is recommended for RSA keys, as fewer amount of bits is
consider insecure or to be insecure pretty soon."

This might be a "Security Sensitive Bug."  Please reset that flag if I am mistaken.
Comment 1 Tomas Hoger 2009-02-06 04:12:57 EST
(In reply to comment #0)
> This might be a "Security Sensitive Bug."  Please reset that flag if I am
> mistaken.

That is used for non-public security vulnerabilities, while this is fairly public and more RFE actually.
Comment 2 Tomas Mraz 2009-07-03 10:01:14 EDT
Fixed in rawhide. To limit the number of updates in released Fedoras I will not do an update there just now. The admin can fix the problem manually there. If there will be update for other reasons I will add bug fix for this bug as well.

Note You need to log in before you can comment on or make changes to this bug.