View Issue Details

IDProjectCategoryView StatusLast Update
0001237Main CAcert Websitecertificate issuingpublic2014-11-13 15:48
ReporterBenBE Assigned ToNEOatNHNG  
PrioritynormalSeverityfeatureReproducibilityalways
Status closedResolutionfixed 
Product Version2014 Q1 
Target Version2014 Q1Fixed in Version2014 Q1 
Summary0001237: Certificates should be issued using sha512WithRSAEncryption for signatures
DescriptionFor improved security of the signatures newly issued certificates should be issued using SHA512 for the signature.
Additional Informationrequires update of the system default configuration (default_md=sha512 in OpenSSL.cnf) as well as addition to the Comm Module to allow setting the proper signature variant.
TagsNo tags attached.
Reviewed byNEOatNHNG, BenBE
Test Instructions

Relationships

related to 0000317 closedduane SHA-2 support 
related to 0000807 needs review & testingNEOatNHNG cacert ignores signature algorithm from csr 

Activities

BenBE

2014-01-08 01:40

updater   ~0004502

When applying the patch be sure to update the database configuration using the following statements:

ALTER TABLE `domaincerts` ALTER `md` SET DEFAULT 'sha512';
ALTER TABLE `emailcerts` ALTER `md` SET DEFAULT 'sha512';
ALTER TABLE `orgdomaincerts` ALTER `md` SET DEFAULT 'sha512';
ALTER TABLE `orgemailcerts` ALTER `md` SET DEFAULT 'sha512';

MartinGummi

2014-01-08 01:42

updater   ~0004503

Last edited: 2014-01-08 10:21

View 3 revisions

before DB changes

generate a WoT Cert with 2k bit

SHA1

works => OK

after DB changes

gen a WoT Cert with 2k bit

PKCS #1 SHA-512 With RSA Encryption -> ok

works => OK

INOPIAE

2014-01-08 10:15

updater   ~0004504

Create org client cert:
Installed cert and view details
certificate details signature algorythm shows:
PKCS #1 SHA-512 with RSA Encryption
=> ok

Eva

2014-01-08 10:27

updater   ~0004505

I generated a client certificate with 2k

it was signed with SHA-512 RSA

I did this with class 1 and class 3 roots.

=> ok

NEOatNHNG

2014-01-14 22:56

administrator   ~0004508

Mail sent to critical admins.

wytze

2014-01-15 15:26

developer   ~0004520

The fix has been installed on the production server on January 15, 2014. After enabling the fix, the database defaults for signature generation have been set to SHA512.
See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2014-01/msg00001.html

Ted

2014-01-18 17:10

administrator   ~0004528

Documented changes in https://wiki.cacert.org/Software/Database/StructureDefined

wytze

2014-11-13 15:48

developer   ~0005103

On November 12, 2014 the default digest settings in the SSL configuration files on the signer have been updated to SHA512 to match the software change made on January 15, 2014. Note that the digest specified by the web server takes precedence over the default setting in the SSL configuration files on the signer, so this does not cause any difference in operation.
The new versions of the SSL configuration files have been recorded in the CAcert SVN.

Issue History

Date Modified Username Field Change
2014-01-08 00:27 BenBE New Issue
2014-01-08 00:27 BenBE Assigned To => BenBE
2014-01-08 01:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable 3989d272
2014-01-08 01:25 BenBE Source_changeset_attached => cacert-devel testserver-stable 0f08a1c6
2014-01-08 01:30 BenBE Source_changeset_attached => cacert-devel testserver-stable d5b87fa0
2014-01-08 01:30 BenBE Source_changeset_attached => cacert-devel testserver-stable 182cdcad
2014-01-08 01:35 BenBE Source_changeset_attached => cacert-devel testserver-stable 1228febe
2014-01-08 01:35 BenBE Source_changeset_attached => cacert-devel testserver-stable 5decb5e8
2014-01-08 01:40 BenBE Reviewed by => NEOatNHNG, BenBE
2014-01-08 01:40 BenBE Note Added: 0004502
2014-01-08 01:40 BenBE Status new => needs review & testing
2014-01-08 01:40 BenBE Status needs review & testing => needs testing
2014-01-08 01:42 MartinGummi Note Added: 0004503
2014-01-08 10:15 INOPIAE Note Added: 0004504
2014-01-08 10:17 MartinGummi Note Edited: 0004503 View Revisions
2014-01-08 10:17 INOPIAE Assigned To BenBE => NEOatNHNG
2014-01-08 10:17 INOPIAE Status needs testing => ready to deploy
2014-01-08 10:21 MartinGummi Note Edited: 0004503 View Revisions
2014-01-08 10:27 Eva Note Added: 0004505
2014-01-14 22:56 NEOatNHNG Note Added: 0004508
2014-01-15 00:30 NEOatNHNG Source_changeset_attached => cacert-devel release 7d088a2e
2014-01-15 15:26 wytze Note Added: 0004520
2014-01-15 15:26 wytze Status ready to deploy => solved?
2014-01-15 15:26 wytze Fixed in Version => 2014 Q1
2014-01-15 15:26 wytze Resolution open => fixed
2014-01-18 17:10 Ted Note Added: 0004528
2014-03-12 17:11 NEOatNHNG Relationship added related to 0000807
2014-03-13 20:00 BenBE Relationship added related to 0000317
2014-06-29 10:20 INOPIAE Status solved? => closed
2014-11-13 15:48 wytze Note Added: 0005103