Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: Stop hardcoding 2048 bit RSA key length #21606

Merged
merged 1 commit into from
Feb 11, 2025
Merged

tls: Stop hardcoding 2048 bit RSA key length #21606

merged 1 commit into from
Feb 11, 2025

Conversation

martinpitt
Copy link
Member

These are rejected as "too weak" by the "FUTURE" crypto policy. Let the tools decide about appropriate defaults rather.

Thanks to Renaud Métrich for finding this!

https://issues.redhat.com/browse/RHEL-78645

@martinpitt
tls: Stop hardcoding 2048 bit RSA key length
6d95484 
These are rejected as "too weak" by the "FUTURE" crypto policy. Let the
tools decide about appropriate defaults rather.

Thanks to Renaud Métrich for finding this!

https://issues.redhat.com/browse/RHEL-78645
@martinpitt martinpitt added the release-blocker Targetted for next release label Feb 11, 2025
@martinpitt
Copy link
Member Author

I tested this command:

#     openssl req -x509 \
        -days 365 \
        -newkey rsa \
        -keyout key \
        -keyform PEM \
        -nodes \
        -out cert \
        -outform PEM \
        -subj "/CN=localhost" \
        -config - \
        -extensions v3_req << EOF
    [ req ]
    req_extensions = v3_req
    extensions = v3_req
    distinguished_name = req_distinguished_name
    [ req_distinguished_name ]
    [ v3_req ]
    subjectAltName=IP:127.0.0.1,DNS:localhost
    basicConstraints = critical, CA:TRUE
    keyUsage = critical, digitalSignature,cRLSign,keyCertSign,keyEncipherment,keyAgreement
    extendedKeyUsage = serverAuth
EOF

and then checked the key length. On Debian 12 (our oldest supported release), Fedora 41, and even RHEL 8.10. The default already is 2048 bits, so for the default crypto policy there is no change.

@martinpitt
Copy link
Member Author

martinpitt commented Feb 11, 2025
edited
Loading

The f41/revdeps failure is unrelated and tracked in cockpit-project/cockpit-podman#1999

https://artifacts.dev.testing-farm.io/2386b322-90d8-4923-831d-981d7481306d/

@martinpitt martinpitt mentioned this pull request Feb 11, 2025
Closed
jelly
jelly approved these changes Feb 11, 2025
View reviewed changes
src/tls/cockpit-certificate-helper.in
@@ -30,7 +30,6 @@ install_key() {
selfsign_sscg() {
sscg --quiet \
--lifetime "${DAYS}" \
--key-strength 2048 \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As not all distros have crypto policies, I looked at the default for key-strength, its 2048 for sscg

src/tls/cockpit-certificate-helper.in
@@ -43,7 +42,7 @@ selfsign_sscg() {
selfsign_openssl() {
openssl req -x509 \
-days "${DAYS}" \
-newkey rsa:2048 \
-newkey rsa \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

according to the man page also defaults to 2028

@martinpitt martinpitt merged commit c3a64be into cockpit-project:main Feb 11, 2025
87 of 88 checks passed
@martinpitt martinpitt deleted the key-strength branch February 11, 2025 08:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jelly jelly jelly approved these changes

@allisonkarlitskaya allisonkarlitskaya Awaiting requested review from allisonkarlitskaya

Assignees
No one assigned
Labels
release-blocker Targetted for next release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@martinpitt @jelly