Closed jenkins-infra-bot closed 4 years ago
R. Tyler Croy Kohsuke Kawaguchi Didn't we fix this a while back due to a Java update? Or was that only the updates.j.o TLS?
This remains an issue. The certificate has been improved in that the signature algorithm is now RSAwithSHA256 and the key length is now 1024 bits. Unfortunately, the smallest key size that's generally recommended for RSA keys nowadays is 1300 bits, with most organizations recommending 2048 bits or more.
Daniel Beck I assume this is fixed?
The root certs bundled with Jenkins:
The current yearly iteration of the signing cert (until October): 2048 bit RSA, sha256WithRSAEncryption
Between that and the fact that we serve none of the JSON metadata from mirrors (i.e. it's all directly from updates.jenkins.io, usually via HTTPS) we should be good.
Hi Guys,
I am not jenkins/plugin developer, but I did notice this and I think you should consider it:
The update center certificate is using algorithms and key-sizes that are nowdays generally considered as insecure.
RSA length is: 512
Signature algorithm: RSAwithMD5
Root certificate could use SHA256 instead:
RSA length is: 2048
Signature algorithm: RSAwithSHA1
Combined with the insecure distribution channel (http) this can lead to very severe security breaches on user sites: Is there any better place to insert implant other than build server?
For convenience:
Certificate: Data: Version: 1 (0x0) Serial Number: 3735928565 (0xdeadbef5) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=California, L=San Jose, O=Jenkins Project, CN=Kohsuke Kawaguchi/emailAddress=kk@kohsuke.org Validity Not Before: Jan 4 22:04:01 2015 GMT Not After : Jan 4 22:04:01 2016 GMT Subject: C=US, ST=California, O=Jenkins Project, CN=Community Update Center Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (512 bit) Modulus: 00:bc:06:31:76:79:cc:c9:11:15:42:47:ec:32:61: 8d:5e:3d:a6:14:c8:2e:af:e8:e3:6a:f2:71:e5:68: dc:e8:c7:e2:ab:5c:77:dc:fb:3b:aa:9a:e1:6a:49: 47:98:28:3b:db:45:de:df:41:36:f8:8f:f9:47:4d: 17:71:40:3e:0b Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 97:a5:cc:23:ff:b1:50:46:55:ca:63:73:d4:ea:fa:61:92:6d: 96:64:04:1b:87:7d:07:1b:ce:70:30:2c:cb:d4:09:0b:86:20: 85:56:2d:76:ef:5a:32:d1:af:b3:7d:57:6c:35:f5:85:37:33: aa:77:55:b1:94:42:e2:4f:cf:12:91:e3:a1:37:b2:9c:b0:89: 3f:2a:e2:95:18:0f:f9:49:0a:08:9d:89:5a:94:d6:09:1d:d0: 92:92:4f:38:ac:c9:f8:51:bc:bb:6d:54:fa:d6:f4:a7:41:d9: e9:6f:73:5d:6b:11:47:64:6d:6b:57:c3:26:cf:f1:6a:da:98: de:f2:87:48:5f:98:34:6a:61:35:85:cc:1e:2f:84:9a:b6:bf: 9c:91:4e:58:c4:ca:e7:a1:f2:24:62:31:8f:04:d1:c2:0c:ad: ff:0d:4a:12:89:27:aa:1b:6a:db:70:55:11:e5:de:17:fe:67: 3e:08:76:38:0a:7e:70:c2:4b:e4:f0:e9:c8:97:5e:d9:69:89: 19:22:72:99:53:c2:50:fc:75:a4:d5:1d:dc:22:66:8c:c2:69: 30:12:33:08:2e:b7:7a:bf:6e:c5:87:c8:b7:16:31:ab:e1:48: 60:ae:a8:a3:0b:3e:4f:1a:a3:e6:44:2d:07:69:c8:7f:f7:5d: d3:b1:78:77
Originally reported by momcilo, imported from: Insecure private key and hashing algorithm for update-center.json signing