View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001237 | Main CAcert Website | certificate issuing | public | 2014-01-08 00:27 | 2014-11-13 15:48 |
| Reporter | BenBE | Assigned To | NEOatNHNG | ||
| Priority | normal | Severity | feature | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 2014 Q1 | ||||
| Target Version | 2014 Q1 | Fixed in Version | 2014 Q1 | ||
| Summary | 0001237: Certificates should be issued using sha512WithRSAEncryption for signatures | ||||
| Description | For improved security of the signatures newly issued certificates should be issued using SHA512 for the signature. | ||||
| Additional Information | requires update of the system default configuration (default_md=sha512 in OpenSSL.cnf) as well as addition to the Comm Module to allow setting the proper signature variant. | ||||
| Tags | No tags attached. | ||||
| Reviewed by | NEOatNHNG, BenBE | ||||
| Test Instructions | |||||
|
|
When applying the patch be sure to update the database configuration using the following statements: ALTER TABLE `domaincerts` ALTER `md` SET DEFAULT 'sha512'; ALTER TABLE `emailcerts` ALTER `md` SET DEFAULT 'sha512'; ALTER TABLE `orgdomaincerts` ALTER `md` SET DEFAULT 'sha512'; ALTER TABLE `orgemailcerts` ALTER `md` SET DEFAULT 'sha512'; |
|
|
before DB changes generate a WoT Cert with 2k bit SHA1 works => OK after DB changes gen a WoT Cert with 2k bit PKCS #1 SHA-512 With RSA Encryption -> ok works => OK |
|
|
Create org client cert: Installed cert and view details certificate details signature algorythm shows: PKCS #1 SHA-512 with RSA Encryption => ok |
|
|
I generated a client certificate with 2k it was signed with SHA-512 RSA I did this with class 1 and class 3 roots. => ok |
|
|
Mail sent to critical admins. |
|
|
The fix has been installed on the production server on January 15, 2014. After enabling the fix, the database defaults for signature generation have been set to SHA512. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2014-01/msg00001.html |
|
|
Documented changes in https://wiki.cacert.org/Software/Database/StructureDefined |
|
|
On November 12, 2014 the default digest settings in the SSL configuration files on the signer have been updated to SHA512 to match the software change made on January 15, 2014. Note that the digest specified by the web server takes precedence over the default setting in the SSL configuration files on the signer, so this does not cause any difference in operation. The new versions of the SSL configuration files have been recorded in the CAcert SVN. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2014-01-08 00:27 | BenBE | New Issue | |
| 2014-01-08 00:27 | BenBE | Assigned To | => BenBE |
| 2014-01-08 01:25 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable 3989d272 |
| 2014-01-08 01:25 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable 0f08a1c6 |
| 2014-01-08 01:30 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable d5b87fa0 |
| 2014-01-08 01:30 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable 182cdcad |
| 2014-01-08 01:35 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable 1228febe |
| 2014-01-08 01:35 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable 5decb5e8 |
| 2014-01-08 01:40 | BenBE | Reviewed by | => NEOatNHNG, BenBE |
| 2014-01-08 01:40 | BenBE | Note Added: 0004502 | |
| 2014-01-08 01:40 | BenBE | Status | new => needs review & testing |
| 2014-01-08 01:40 | BenBE | Status | needs review & testing => needs testing |
| 2014-01-08 01:42 | MartinGummi | Note Added: 0004503 | |
| 2014-01-08 10:15 | INOPIAE | Note Added: 0004504 | |
| 2014-01-08 10:17 | MartinGummi | Note Edited: 0004503 | |
| 2014-01-08 10:17 | INOPIAE | Assigned To | BenBE => NEOatNHNG |
| 2014-01-08 10:17 | INOPIAE | Status | needs testing => ready to deploy |
| 2014-01-08 10:21 | MartinGummi | Note Edited: 0004503 | |
| 2014-01-08 10:27 | Eva | Note Added: 0004505 | |
| 2014-01-14 22:56 | NEOatNHNG | Note Added: 0004508 | |
| 2014-01-15 00:30 | NEOatNHNG | Source_changeset_attached | => cacert-devel release 7d088a2e |
| 2014-01-15 15:26 | wytze | Note Added: 0004520 | |
| 2014-01-15 15:26 | wytze | Status | ready to deploy => solved? |
| 2014-01-15 15:26 | wytze | Fixed in Version | => 2014 Q1 |
| 2014-01-15 15:26 | wytze | Resolution | open => fixed |
| 2014-01-18 17:10 | Ted | Note Added: 0004528 | |
| 2014-03-12 17:11 | NEOatNHNG | Relationship added | related to 0000807 |
| 2014-03-13 20:00 | BenBE | Relationship added | related to 0000317 |
| 2014-06-29 10:20 | INOPIAE | Status | solved? => closed |
| 2014-11-13 15:48 | wytze | Note Added: 0005103 |
