search

389ds / 389-ds-base

The enterprise-class Open Source LDAP server for Linux
https://www.port389.org/
Other
211 stars 93 forks source link

Directory Console generates insufficient key strength #362

Closed 389-ds-bot closed 4 years ago

389-ds-bot commented 4 years ago

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/362

from "Manage Certificates", "Request" - the wizard generates keys of only 1024 bits length. The minimum needed for (all?) CA's that are non-self-signed now is 2048.

This requires using the command line to generate the CSR for a signed cert outside the organization.

The request wizard should have an option to change bit size, or at least default to the minimum required for security (now 2048).

389-ds-console-1.2.6-1.el6.noarch 389-adminutil-1.1.15-1.el6.x86_64 389-console-1.1.7-1.el6.noarch 389-dsgw-1.1.9-1.el6.x86_64 389-admin-1.1.29-1.el6.x86_64 389-admin-console-doc-1.1.8-1.el6.noarch 389-ds-base-1.2.10.7-1.el6.x86_64 389-ds-console-doc-1.2.6-1.el6.noarch 389-ds-base-libs-1.2.10.7-1.el6.x86_64 389-ds-1.2.2-1.el6.noarch 389-admin-console-1.1.8-1.el6.noarch

389-ds-bot commented 4 years ago

Comment from rmeggins (@richm) at 2012-07-31 23:31:44

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=844764 (''Red Hat Directory Server'')

389-ds-bot commented 4 years ago

Comment from rmeggins (@richm) at 2012-08-14 19:57:05

set default ticket origin to Community

389-ds-bot commented 4 years ago

Comment from nkinder (@nkinder) at 2012-08-28 04:14:42

Added initial screened field value.

389-ds-bot commented 4 years ago

Comment from eal3 at 2013-05-02 02:45:57

Tried to get a new CSR today, found this is still a problem. (Thus checked here.)

There's no point in having the functionality in the Wizard at this point, IMO, and if we can't have a usable key size, that should be in the wizard "This is usable only for self-signed, use command line for signed keys", for instance.

[root@ds4 dirsrv]# yum list |grep 389 389-admin.x86_64 1.1.29-1.el6 @epel
389-admin-console.noarch 1.1.8-1.el6 @epel
389-admin-console-doc.noarch 1.1.8-1.el6 @epel
389-adminutil.x86_64 1.1.15-1.el6 @epel
389-console.noarch 1.1.7-1.el6 @epel
389-ds.noarch 1.2.2-1.el6 @epel
389-ds-base.x86_64 1.2.11.15-14.el6_4 @rhel-x86_64-server-6
389-ds-base-libs.x86_64 1.2.11.15-14.el6_4 @rhel-x86_64-server-6
389-ds-console.noarch 1.2.6-1.el6 @epel
389-ds-console-doc.noarch 1.2.6-1.el6 @epel
389-dsgw.x86_64 1.1.10-1.el6 @epel
389-admin.i686 1.1.29-1.el6 epel
389-adminutil.i686 1.1.15-1.el6 epel
389-adminutil-devel.i686 1.1.15-1.el6 epel
389-adminutil-devel.x86_64 1.1.15-1.el6 epel
389-ds-base-devel.i686 1.2.11.15-14.el6_4 rhel-x86_64-server-optional-6 389-ds-base-devel.x86_64 1.2.11.15-14.el6_4 rhel-x86_64-server-optional-6 389-ds-base-libs.i686 1.2.11.15-14.el6_4 rhel-x86_64-server-6
[root@ds4 dirsrv]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.4 (Santiago)

389-ds-bot commented 4 years ago

Comment from nkinder (@nkinder) at 2013-08-13 23:39:42

In addition to changing the default key size (and making it configurable), we should change the default for the signature algorithm to sha1WithRSAEncryption.

389-ds-bot commented 4 years ago

Comment from nkinder (@nkinder) at 2013-08-14 05:01:40

Admin Server diffs 0001-Ticket-362-Directory-Console-generates-insufficient-.patch

389-ds-bot commented 4 years ago

Comment from nkinder (@nkinder) at 2013-08-14 05:04:55

The Admin Server patch improves the default RSA key size and signing algorithm. No Console changes are needed to take advantage of these new default. The new defaults are:

The patch also gives the CGI the capability to support a configurable RSA key size up to 4096 as well as SHA-256, SHA-384, and SHA-512 signing algorithms. To take advantage of this capability, changes need to be made to idm-console-framework to allow the user to make selections.

389-ds-bot commented 4 years ago

Comment from nkinder (@nkinder) at 2013-08-14 05:09:36

Here is a certificate request generated by invoking the security CGI (with patch) from an unmodified Console. As can be seen, the key size is 2048 and the signing algorithm is SHA-1:

[nathank@neptune ~]$ openssl req -in /tmp/csr2.txt -text Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=California, CN=test.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a9:fc:88:b9:8f:92:f8:7f:16:78:5b:77:60:bb: 73:da:d9:4c:bd:86:d8:a8:7d:e2:6a:b3:9c:2f:11: 8a:ea:21:85:4e:71:ef:1d:27:10:34:da:66:97:25: 13:6c:5f:ad:e3:bd:31:1b:c0:5b:ed:80:de:4c:f6: 72:ae:58:21:e9:0d:90:97:b8:1e:07:5a:94:f7:7a: 2e:95:af:d7:c6:3e:fb:c7:c6:80:01:b6:aa:b9:09: 0e:05:b5:a9:f8:3e:db:09:45:d9:19:3b:3d:4a:9a: 4e:1c:4a:f0:a3:49:67:3e:82:a3:f3:1e:d1:4f:0d: da:9f:5d:9e:f3:57:8d:ae:6b:c0:20:2d:67:8a:d3: 91:4b:b3:fa:31:80:3c:27:9a:1a:b2:36:32:07:31: 87:2c:87:2b:c0:d5:06:62:c4:66:a7:96:31:0c:8c: 16:60:27:5f:21:75:85:6d:02:f5:c4:ba:40:2b:70: 59:5d:4c:f8:39:c5:b8:ef:b8:11:07:c2:fd:6a:09: 84:87:7d:c5:f8:e5:ed:c1:77:22:c1:f6:13:60:3b: 70:10:59:90:f6:74:17:0f:15:55:10:1b:e8:88:0d: af:85:5f:5f:6d:62:13:ff:87:d4:1d:d4:4f:d5:11: 04:b6:ed:eb:66:e8:46:dd:9e:0b:ba:b3:6c:69:ac: 57:81 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha1WithRSAEncryption 90:45:58:8b:f4:6c:42:b1:51:e9:52:b1:59:96:f4:24:a2:30: 22:26:03:6b:61:d8:c7:9c:1c:d0:ac:90:9a:fc:3b:44:d5:ac: 52:77:73:79:3d:ae:50:9c:65:02:b3:6d:c2:ca:22:1b:33:f2: 67:6b:20:f9:65:4a:c0:1c:28:a3:39:19:c6:d8:b0:4d:a3:93: de:e2:56:d9:09:0a:0e:64:8a:9b:12:64:76:09:41:26:7f:88: ee:bc:e1:04:e4:a8:93:be:c8:27:06:74:3f:1d:2c:f3:30:a4: fd:45:60:12:7d:2f:47:73:e3:12:de:d4:22:f8:e2:29:2a:13: b7:8d:2e:b6:c2:d4:ce:42:4f:f7:f7:05:f7:6d:19:60:8f:8b: db:39:37:bf:9c:3a:56:90:91:bf:33:5a:7f:14:4d:56:45:b9: df:e2:d1:e8:b2:db:6a:6b:5e:ab:51:2a:be:fb:0f:b7:f4:85: 65:94:25:0d:00:ea:b6:ed:ad:48:19:f7:6a:bf:c0:79:80:6e: 1d:e5:18:08:65:78:37:a8:7a:a5:0b:95:6a:9d:93:25:35:60: 4f:b3:39:21:48:c9:ce:ea:c7:01:8c:84:17:2c:22:ff:35:93: ef:9b:bc:0b:94:04:6e:23:1a:de:38:2d:fb:c2:ec:80:5d:cc: f2:6b:1d:b8

389-ds-bot commented 4 years ago

Comment from nkinder (@nkinder) at 2013-08-14 07:47:10

idm-console-framework diffs 0001-Ticket-362-Directory-Console-generates-insufficient-.2.patch

389-ds-bot commented 4 years ago

Comment from nkinder (@nkinder) at 2013-08-14 07:54:01

389-admin-console diffs 0001-Ticket-362-Directory-Console-generates-insufficient-.3.patch

389-ds-bot commented 4 years ago

Comment from nkinder (@nkinder) at 2013-08-14 07:55:58

The idm-console-framework patch implements a new UI panel in the certificate request wizard that is used by the DS and Admin Server console. A screenshot of this new panel will be attached to this ticket.

The 389-admin-console patch is only needed to add the online help page that is accessed when you click on the "help" button on the new panel in the Console.

389-ds-bot commented 4 years ago

Comment from nkinder (@nkinder) at 2013-08-14 07:58:57

Screenshot console-keypanel.png

389-ds-bot commented 4 years ago

Comment from nkinder (@nkinder) at 2013-08-15 04:06:45

Thanks to Noriko for her review. Patches pushed to master:

Counting objects: 9, done. Delta compression using up to 8 threads. Compressing objects: 100% (5/5), done. Writing objects: 100% (5/5), 1.16 KiB, done. Total 5 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/admin.git 5c52dd5..4555aff master -> master

Counting objects: 24, done. Delta compression using up to 8 threads. Compressing objects: 100% (10/10), done. Writing objects: 100% (13/13), 3.47 KiB, done. Total 13 (delta 7), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/idm-console-framework.git d37a577..e043c5b master -> master

Counting objects: 12, done. Delta compression using up to 8 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (7/7), 1.08 KiB, done. Total 7 (delta 3), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/admin-console.git 48237b2..91568bd master -> master

389-ds-bot commented 4 years ago

Comment from nkinder (@nkinder) at 2017-02-11 22:52:35

Metadata Update from @nkinder: