alexalouit
commented
8 years ago Thank's, but that's a ISPConfig issue, see http://git.ispconfig.org for source.
Closed kordianbruck closed 8 years ago
alexalouit
commented
8 years ago Thank's, but that's a ISPConfig issue, see http://git.ispconfig.org for source.
In https://github.com/alexalouit/ISPConfig-letsencrypt/blob/ISPConfig-3.0.5.4p8/src/server/plugins-available/apache2_plugin.inc.php the following is used:
According to the OpenSSL Docs (https://www.openssl.org/docs/manmaster/apps/genrsa.html) this is then used to seed the generation of a rsa keypair. This is most probably broken really badly and easily exploitable.
Use a better source of randomness or follow the best practices (use /dev/random for cryptographic randomness): http://stackoverflow.com/questions/637278/what-is-the-best-way-to-generate-a-random-key-within-php
Every SSL Certificate generated in this matter is most probably easily compromised. Also it does not generate 4096 keys as the config file would suggest but 2048.
In the end I'm really asking myself, why you are not using the Openssl Wrapper functions provided in PHP and instead are using exec. (http://php.net/manual/en/function.openssl-pkey-new.php)