Bug 745410 - Makefile for generating keys and certificates specifies less than the recommended number of bits
Summary: Makefile for generating keys and certificates specifies less than the recomme...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openssl
Version: 5.8
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-12 09:51 UTC by Buchan Milne
Modified: 2012-11-05 15:13 UTC (History)
5 users (show)

Fixed In Version: openssl-0.9.8e-21.el5
Doc Type: Bug Fix
Doc Text:
Clone Of: 484101
Environment:
Last Closed: 2012-02-21 06:09:08 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0229 0 normal SHIPPED_LIVE openssl bug fix and enhancement update 2012-02-20 15:07:49 UTC

Description Buchan Milne 2011-10-12 09:51:28 UTC 
This fix should really be pushed to RHEL5, NIST has deprecated 1024-bit moduli from Jan 1 2011:
http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
and CAs will no longer issue certificates with 1024-bit moduli:
http://ssl.entrust.net/blog/?p=422


+++ This bug was initially created as a clone of Bug #484101 +++

Description of problem:
The file /etc/pki/tls/certs/Makefile specifies 1024 bits when generating the targets '%.pem' and '%.key', instead of the recommended minimum 2048 bits.

Version-Release number of selected component (if applicable):
$ rpm -qf /etc/pki/tls/certs/Makefile
openssl-0.9.8g-12.fc10.x86_64

How reproducible:
"Always."

Steps to Reproduce:
1. grep 1024 /etc/pki/tls/certs/Makefile
2.
3.
  
Actual results:
        /usr/bin/openssl req $(UTF8) -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
        /usr/bin/openssl genrsa -des3 1024 > $@

Expected results:
        /usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
        /usr/bin/openssl genrsa -des3 2048 > $@

Additional info:
The recommended number of bits to be used when generating .pem and .key files is described in the OpenSSL document here:

http://www.openssl.org/docs/HOWTO/keys.txt

"The number 2048 is the size of the key, in bits.  Today, 2048 or
higher is recommended for RSA keys, as fewer amount of bits is
consider insecure or to be insecure pretty soon."

This might be a "Security Sensitive Bug."  Please reset that flag if I am mistaken.

--- Additional comment from thoger on 2009-02-06 04:12:57 EST ---

(In reply to comment #0)
> This might be a "Security Sensitive Bug."  Please reset that flag if I am
> mistaken.

That is used for non-public security vulnerabilities, while this is fairly public and more RFE actually.

--- Additional comment from tmraz on 2009-07-03 10:01:14 EDT ---

Fixed in rawhide. To limit the number of updates in released Fedoras I will not do an update there just now. The admin can fix the problem manually there. If there will be update for other reasons I will add bug fix for this bug as well.
Comment 4 errata-xmlrpc 2012-02-21 06:09:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0229.html
Note You need to log in before you can comment on or make changes to this bug.