Skip Menu |
 

This queue is for tickets about the Net-SSLeay CPAN distribution.

Report information
The Basics
Id: 126270
Status: open
Priority: 0/
Queue: Net-SSLeay

People
Owner: Nobody in particular
Requestors: ppisar [...] redhat.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: 1.85
Fixed in: (no value)



Subject: Use 2048-bit RSA keys in tests
Download (untitled) / with headers
text/plain 765b
OpenSSL allows to restrict keys, hashes and algorithms to meet certain security level (see @SECLEVEL in <https://www.openssl.org/docs/man1.1.0/apps/ciphers.html#CIPHER-LIST-FORMAT>). Some users and software distributions are experimenting with @SECLEVEL=2 because NIST adn ENISA discourages RSA keys shorted and 2048 bits. Running Net-SSLeay-1.85 tests on such a system results to a failure because the tests uses pregenerated 1024-bit keys. Attached patch updates the keys, certificates and revocation lists to 2048-bit RSA with SHA-256. It does not update all of them. Only the minimal set that experiences difficulties. The patch is a git-formatted patch because it patches binary files (in DER format). Please consider applying it to next Net-SSLeay version.
Subject: Net-SSLeay-1.85-Generate-2048-bit-keys-for-tests.patch

Message body is not shown because it is too large.

Download (untitled) / with headers
text/plain 1.3k
On Tue Aug 14 14:14:49 2018, ppisar wrote: Show quoted text
> OpenSSL allows to restrict keys, hashes and algorithms to meet certain > security level (see @SECLEVEL in > <https://www.openssl.org/docs/man1.1.0/apps/ciphers.html#CIPHER-LIST-
> FORMAT>).
> > Some users and software distributions are experimenting with > @SECLEVEL=2 because NIST adn ENISA discourages RSA keys shorted and > 2048 bits. Running Net-SSLeay-1.85 tests on such a system results to a > failure because the tests uses pregenerated 1024-bit keys. > > Attached patch updates the keys, certificates and revocation lists to > 2048-bit RSA with SHA-256. It does not update all of them. Only the > minimal set that experiences difficulties. The patch is a git- > formatted patch because it patches binary files (in DER format). > > Please consider applying it to next Net-SSLeay version.
Thanks for this, Petr. Could you document the steps you took in order to generate the new certificates? I ask for two reasons: (a) it'd be helpful to have a script in helper_scripts/ that generates new certificates in t/ and automatically updates the test files that rely on them (similar to what we already have for t/local/20_autoload.t and t/local/21_constants.t) in the event that we need to generate new certificates again in future, and (b) new certificates will have to be generated anyway, because rafl@debian.org is no longer the maintainer of Net-SSLeay.
Subject: Re: [rt.cpan.org #126270] Use 2048-bit RSA keys in tests
Date: Fri, 24 Aug 2018 10:30:27 +0200
To: Chris Novakovic via RT <bug-Net-SSLeay [...] rt.cpan.org>
From: Petr Pisar <ppisar [...] redhat.com>
Download (untitled) / with headers
text/plain 753b
On Thu, Aug 23, 2018 at 04:46:45PM -0400, Chris Novakovic via RT wrote: Show quoted text
> Could you document the steps you took in order to generate the new certificates?
I'm sorry I don't remember all the commands and my shell history has already rotated. I would have to do it everything again and I don't have time now. t/data/test_CA1* files are based on t/data/test_CA1.conf file and the procedure is described at top of the file. t/data/cert.pem, t/data/key.pem*, t/data/testcert_wildcard.crt.pem files are generatated by examples/makecert.pl. The tests were updates manually by copy-and-pasting openssl tool command output. The only exception was a md2 fingerprint that I copied from some on-line web service because none of my openssls support it. -- Petr
Download signature.asc
application/pgp-signature 228b

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 503b
A short-term fix for this (which simply sets the security level to 1 before loading RSA keys in the test suite) has been merged and will be available from the next developer release onwards: https://github.com/radiator-software/p5-net-ssleay/pull/53 I'll leave this ticket open to remind me to implement the ideal long-term fix, which is to write a helper script for generating the test suite's keys/certificates and the tests that use them, then replace the existing 1024-bit keys with 2048-bit keys.
Download (untitled) / with headers
text/plain 732b
On ma 03.Sep 2018 12:27:20, CHRISN wrote: Show quoted text
> I'll leave this ticket open to remind me to implement the ideal long- > term fix, which is to write a helper script for generating the test > suite's keys/certificates and the tests that use them, then replace > the existing 1024-bit keys with 2048-bit keys.
Just remembered that in t/data/testcert_wildcard.conf we have an OpenSSL configuration file with openssl commands to run. This was used to create test certificates with various subjectAltNames. The private key is already 2048 bit and one idea I had was that it could be used to with any future tests too. I think these files could be used as a starting point to create new and refresh the existing certificates. -- Heikki


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.