389-ds-base

Clone
Source Code
GIT

#362 Directory Console generates insufficient key strength
Closed: wontfix None Opened 11 years ago by eal3.

Closed: wontfix
Reopen Issue

from "Manage Certificates", "Request" - the wizard generates keys of only 1024 bits length. The minimum needed for (all?) CA's that are non-self-signed now is 2048.

This requires using the command line to generate the CSR for a signed cert outside the organization.

The request wizard should have an option to change bit size, or at least default to the minimum required for security (now 2048).

389-ds-console-1.2.6-1.el6.noarch
389-adminutil-1.1.15-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-dsgw-1.1.9-1.el6.x86_64
389-admin-1.1.29-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-ds-base-1.2.10.7-1.el6.x86_64
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-libs-1.2.10.7-1.el6.x86_64
389-ds-1.2.2-1.el6.noarch
389-admin-console-1.1.8-1.el6.noarch

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=844764 (''Red Hat Directory Server'')

set default ticket origin to Community

Added initial screened field value.

Tried to get a new CSR today, found this is still a problem. (Thus checked here.)

There's no point in having the functionality in the Wizard at this point, IMO, and if we can't have a usable key size, that should be in the wizard "This is usable only for self-signed, use command line for signed keys", for instance.

[root@ds4 dirsrv]# yum list |grep 389
389-admin.x86_64 1.1.29-1.el6 @epel
389-admin-console.noarch 1.1.8-1.el6 @epel
389-admin-console-doc.noarch 1.1.8-1.el6 @epel
389-adminutil.x86_64 1.1.15-1.el6 @epel
389-console.noarch 1.1.7-1.el6 @epel
389-ds.noarch 1.2.2-1.el6 @epel
389-ds-base.x86_64 1.2.11.15-14.el6_4 @rhel-x86_64-server-6
389-ds-base-libs.x86_64 1.2.11.15-14.el6_4 @rhel-x86_64-server-6
389-ds-console.noarch 1.2.6-1.el6 @epel
389-ds-console-doc.noarch 1.2.6-1.el6 @epel
389-dsgw.x86_64 1.1.10-1.el6 @epel
389-admin.i686 1.1.29-1.el6 epel
389-adminutil.i686 1.1.15-1.el6 epel
389-adminutil-devel.i686 1.1.15-1.el6 epel
389-adminutil-devel.x86_64 1.1.15-1.el6 epel
389-ds-base-devel.i686 1.2.11.15-14.el6_4 rhel-x86_64-server-optional-6
389-ds-base-devel.x86_64 1.2.11.15-14.el6_4 rhel-x86_64-server-optional-6
389-ds-base-libs.i686 1.2.11.15-14.el6_4 rhel-x86_64-server-6
[root@ds4 dirsrv]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.4 (Santiago)

In addition to changing the default key size (and making it configurable), we should change the default for the signature algorithm to sha1WithRSAEncryption.

The Admin Server patch improves the default RSA key size and signing algorithm. No Console changes are needed to take advantage of these new default. The new defaults are:

  • 2048-bit key size
  • SHA-1 signing algorithm

The patch also gives the CGI the capability to support a configurable RSA key size up to 4096 as well as SHA-256, SHA-384, and SHA-512 signing algorithms. To take advantage of this capability, changes need to be made to idm-console-framework to allow the user to make selections.

Here is a certificate request generated by invoking the security CGI (with patch) from an unmodified Console. As can be seen, the key size is 2048 and the signing algorithm is SHA-1:

[nathank@neptune ~]$ openssl req -in /tmp/csr2.txt -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=California, CN=test.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:fc:88:b9:8f:92:f8:7f:16:78:5b:77:60:bb:
73:da:d9:4c:bd:86:d8:a8:7d:e2:6a:b3:9c:2f:11:
8a:ea:21:85:4e:71:ef:1d:27:10:34:da:66:97:25:
13:6c:5f:ad:e3:bd:31:1b:c0:5b:ed:80:de:4c:f6:
72:ae:58:21:e9:0d:90:97:b8:1e:07:5a:94:f7:7a:
2e:95:af:d7:c6:3e:fb:c7:c6:80:01:b6:aa:b9:09:
0e:05:b5:a9:f8:3e:db:09:45:d9:19:3b:3d:4a:9a:
4e:1c:4a:f0:a3:49:67:3e:82:a3:f3:1e:d1:4f:0d:
da:9f:5d:9e:f3:57:8d:ae:6b:c0:20:2d:67:8a:d3:
91:4b:b3:fa:31:80:3c:27:9a:1a:b2:36:32:07:31:
87:2c:87:2b:c0:d5:06:62:c4:66:a7:96:31:0c:8c:
16:60:27:5f:21:75:85:6d:02:f5:c4:ba:40:2b:70:
59:5d:4c:f8:39:c5:b8:ef:b8:11:07:c2:fd:6a:09:
84:87:7d:c5:f8:e5:ed:c1:77:22:c1:f6:13:60:3b:
70:10:59:90:f6:74:17:0f:15:55:10:1b:e8:88:0d:
af:85:5f:5f:6d:62:13:ff:87:d4:1d:d4:4f:d5:11:
04:b6:ed:eb:66:e8:46:dd:9e:0b:ba:b3:6c:69:ac:
57:81
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
90:45:58:8b:f4:6c:42:b1:51:e9:52:b1:59:96:f4:24:a2:30:
22:26:03:6b:61:d8:c7:9c:1c:d0:ac:90:9a:fc:3b:44:d5:ac:
52:77:73:79:3d:ae:50:9c:65:02:b3:6d:c2:ca:22:1b:33:f2:
67:6b:20:f9:65:4a:c0:1c:28:a3:39:19:c6:d8:b0:4d:a3:93:
de:e2:56:d9:09:0a:0e:64:8a:9b:12:64:76:09:41:26:7f:88:
ee:bc:e1:04:e4:a8:93:be:c8:27:06:74:3f:1d:2c:f3:30:a4:
fd:45:60:12:7d:2f:47:73:e3:12:de:d4:22:f8:e2:29:2a:13:
b7:8d:2e:b6:c2:d4:ce:42:4f:f7:f7:05:f7:6d:19:60:8f:8b:
db:39:37:bf:9c:3a:56:90:91:bf:33:5a:7f:14:4d:56:45:b9:
df:e2:d1:e8:b2:db:6a:6b:5e:ab:51:2a:be:fb:0f:b7:f4:85:
65:94:25:0d:00:ea:b6:ed:ad:48:19:f7:6a:bf:c0:79:80:6e:
1d:e5:18:08:65:78:37:a8:7a:a5:0b:95:6a:9d:93:25:35:60:
4f:b3:39:21:48:c9:ce:ea:c7:01:8c:84:17:2c:22:ff:35:93:
ef:9b:bc:0b:94:04:6e:23:1a:de:38:2d:fb:c2:ec:80:5d:cc:
f2:6b:1d:b8

The idm-console-framework patch implements a new UI panel in the certificate request wizard that is used by the DS and Admin Server console. A screenshot of this new panel will be attached to this ticket.

The 389-admin-console patch is only needed to add the online help page that is accessed when you click on the "help" button on the new panel in the Console.

Thanks to Noriko for her review. Patches pushed to master:

Counting objects: 9, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (5/5), done.
Writing objects: 100% (5/5), 1.16 KiB, done.
Total 5 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/admin.git
5c52dd5..4555aff master -> master

Counting objects: 24, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (10/10), done.
Writing objects: 100% (13/13), 3.47 KiB, done.
Total 13 (delta 7), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/idm-console-framework.git
d37a577..e043c5b master -> master

Counting objects: 12, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (7/7), 1.08 KiB, done.
Total 7 (delta 3), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/admin-console.git
48237b2..91568bd master -> master

Metadata Update from @nkinder:
- Issue assigned to nkinder
- Issue set to the milestone: 389-admin,console 1.1.35
7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/362

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
major
ack
RHCust
Attachments 1
console-keypanel.png
Attached 10 years ago View Comment
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.