View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001297 | Main CAcert Website | source code | public | 2014-08-07 15:49 | 2014-12-02 22:48 |
| Reporter | wytze | Assigned To | BenBE | ||
| Priority | urgent | Severity | block | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 2014 Q2 | ||||
| Target Version | 2014 Q3 | Fixed in Version | 2014 Q3 | ||
| Summary | 0001297: includes/lib/check_weak_key.php is broken after upgrade to Debian Wheezy with openssl 1.0 | ||||
| Description | The code in includes/lib/check_weak_key.php relies on the output of openssl for a number of textual messages. Since Debian Wheezy uses openssl 1.0.1 rather than 0.9.8. some of the matched strings have changed. As a result, when upgrading the CAcert application chroot environment to Debian Wheezy, certificate issuing fails with errors like: "checkWeakKeyText(): Couldn't parse the RSA key size." | ||||
| Steps To Reproduce | Upgrade CAcert application environment to Debian Wheezy and try to create a certificate. Note: cacert2.it-sls.de has the required test environment, but also has the patch suggested below installed. By reverting check_weak_key.php to the old version, the problem can be observed. | ||||
| Additional Information | A suggested patch is attached. A permanent fix for this problem is urgent, since the CAcert application chroot environment on the production server needs to be upgraded to Debian Wheezy ASAP; the current Debian Squeeze environment is lacking security support/patches for recently reported problems with Apache2 / PHP / openssl. | ||||
| Tags | No tags attached. | ||||
| Attached Files | check_weak_key.php.patch (1,060 bytes)
--- /home/cacert/www/includes/lib/check_weak_key.php.org 2014-03-10 17:58:51.000000000 +0100
+++ /home/cacert/www/includes/lib/check_weak_key.php 2014-06-20 17:13:08.293552377 +0200
@@ -128,7 +128,7 @@
if ($algorithm === "rsaEncryption")
{
- if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text, $keysize))
+ if (!preg_match('/^\s*Public-Key: \((\d+) bit\)$/m', $text, $keysize))
{
return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
"key size.\nData:\n$text");
@@ -308,7 +308,7 @@
if ($algorithm !== "rsaEncryption") return false;
/* Extract public key size */
- if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text,
+ if (!preg_match('/^\s*Public-Key: \((\d+) bit\)$/m', $text,
$keysize))
{
trigger_error("checkDebianVulnerability(): Couldn't parse the ".
@@ -338,7 +338,7 @@
/* Extract RSA modulus */
- if (!preg_match('/^\s*Modulus \(\d+ bit\):\n'.
+ if (!preg_match('/^\s*Modulus:\n'.
'((?:\s*[0-9a-f][0-9a-f]:(?:\n)?)+[0-9a-f][0-9a-f])$/m',
$text, $modulus))
{
| ||||
| Reviewed by | Ted, BenBE | ||||
| Test Instructions | |||||
|
|
I have looked over the patch and created a git commit from it as it seemed sane to me. The commit is available here: https://github.com/yellowant/cacert-devel/commits/bug-1297 |
|
|
Applied on testserver, but needs a rebuilt of the chroot to be fully working. |
|
|
The chroot on test.cacert.org aka cacert1.it-sls.de has been rebuilt to Debian Wheezy on August 9, 2014 around 12:00 CEST. |
|
|
Tests performed: 1. request client certificate, SHA-512, medium grade: "The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki" => OK 2. request client certificate, SHA-512, high grade: Works => OK 3. request client certificate, SHA-256, high grade: Works => OK 4. request server certificate, 1024-bit key: "The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki" => OK 5. request server certificate, 2048-bit key: Works => OK All tests succeeded. |
|
|
Reviewed fa3a17789986431c15dac26c43a8100ee7e8d0d4 vs. 061fec271f164c0efb356d98b5b4f640ed3c6c2f The only changed file is includes/lib/check_weak_key.php Verified different output of OpenSSL versions 0.9.8 and 1.0.1 by using openssl x509 -noout -text on a certificate file Code changes match changes in OpenSSL output. Review is PASSED. |
|
|
1. Client cert 2048-bit-spkac (High Grade) random: --> Works => OK 2. Client cert 1024-bit-spkac (Medium Grade) random: --> key size too small => OK 3. Client cert 4096-bit-CSR random: --> Works => OK 4. Client cert 1024-bit-CSR random: --> key size too small => OK 5. Orga-server-cert 1024-bit-CSR: --> key size too small => OK 6. Orga-server-cert 4096-bit-CSR: --> Works => OK ==> Test PASSED |
|
|
The patch has been installed on the production server on August 28, 2014, immediately after upgrading the CAcert chroot application environment to Debian Wheezy. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2014-08/msg00019.html https://lists.cacert.org/wws/arc/cacert-systemlog/2014-08/msg00020.html |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2014-08-07 15:49 | wytze | New Issue | |
| 2014-08-07 15:49 | wytze | File Added: check_weak_key.php.patch | |
| 2014-08-08 16:55 | BenBE | Assigned To | => felixd |
| 2014-08-08 16:55 | BenBE | Status | new => needs work |
| 2014-08-08 23:30 | felixd | Note Added: 0004923 | |
| 2014-08-08 23:55 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable 61da9da5 |
| 2014-08-08 23:55 | felixd | Source_changeset_attached | => cacert-devel testserver-stable 061fec27 |
| 2014-08-09 00:11 | BenBE | Reviewed by | => BenBE |
| 2014-08-09 00:11 | BenBE | Note Added: 0004926 | |
| 2014-08-09 00:11 | BenBE | Assigned To | felixd => NEOatNHNG |
| 2014-08-09 00:11 | BenBE | Status | needs work => needs review & testing |
| 2014-08-09 00:12 | BenBE | Note Edited: 0004926 | |
| 2014-08-09 10:08 | wytze | Note Added: 0004930 | |
| 2014-08-09 10:55 | wytze | Note Added: 0004933 | |
| 2014-08-15 18:33 | Ted | Note Added: 0004945 | |
| 2014-08-15 18:34 | Ted | Reviewed by | BenBE => Ted, BenBE |
| 2014-08-15 18:34 | Ted | Status | needs review & testing => needs testing |
| 2014-08-16 13:43 | felixd | Note Added: 0004951 | |
| 2014-08-18 05:36 | BenBE | Assigned To | NEOatNHNG => BenBE |
| 2014-08-18 05:36 | BenBE | Status | needs testing => ready to deploy |
| 2014-08-28 07:25 | BenBE | Source_changeset_attached | => cacert-devel release f7509bc9 |
| 2014-08-28 15:22 | wytze | Note Added: 0004982 | |
| 2014-08-28 15:22 | wytze | Status | ready to deploy => solved? |
| 2014-08-28 15:22 | wytze | Fixed in Version | => 2014 Q3 |
| 2014-08-28 15:22 | wytze | Resolution | open => fixed |
| 2014-12-02 22:48 | INOPIAE | Status | solved? => closed |
