View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001297 | Main CAcert Website | source code | public | 2014-08-07 15:49 | 2014-12-02 22:48 |
Reporter | wytze | Assigned To | BenBE | ||
Priority | urgent | Severity | block | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2014 Q2 | ||||
Target Version | 2014 Q3 | Fixed in Version | 2014 Q3 | ||
Summary | 0001297: includes/lib/check_weak_key.php is broken after upgrade to Debian Wheezy with openssl 1.0 | ||||
Description | The code in includes/lib/check_weak_key.php relies on the output of openssl for a number of textual messages. Since Debian Wheezy uses openssl 1.0.1 rather than 0.9.8. some of the matched strings have changed. As a result, when upgrading the CAcert application chroot environment to Debian Wheezy, certificate issuing fails with errors like: "checkWeakKeyText(): Couldn't parse the RSA key size." | ||||
Steps To Reproduce | Upgrade CAcert application environment to Debian Wheezy and try to create a certificate. Note: cacert2.it-sls.de has the required test environment, but also has the patch suggested below installed. By reverting check_weak_key.php to the old version, the problem can be observed. | ||||
Additional Information | A suggested patch is attached. A permanent fix for this problem is urgent, since the CAcert application chroot environment on the production server needs to be upgraded to Debian Wheezy ASAP; the current Debian Squeeze environment is lacking security support/patches for recently reported problems with Apache2 / PHP / openssl. | ||||
Tags | No tags attached. | ||||
Attached Files | check_weak_key.php.patch (1,060 bytes)
--- /home/cacert/www/includes/lib/check_weak_key.php.org 2014-03-10 17:58:51.000000000 +0100 +++ /home/cacert/www/includes/lib/check_weak_key.php 2014-06-20 17:13:08.293552377 +0200 @@ -128,7 +128,7 @@ if ($algorithm === "rsaEncryption") { - if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text, $keysize)) + if (!preg_match('/^\s*Public-Key: \((\d+) bit\)$/m', $text, $keysize)) { return failWithId("checkWeakKeyText(): Couldn't parse the RSA ". "key size.\nData:\n$text"); @@ -308,7 +308,7 @@ if ($algorithm !== "rsaEncryption") return false; /* Extract public key size */ - if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text, + if (!preg_match('/^\s*Public-Key: \((\d+) bit\)$/m', $text, $keysize)) { trigger_error("checkDebianVulnerability(): Couldn't parse the ". @@ -338,7 +338,7 @@ /* Extract RSA modulus */ - if (!preg_match('/^\s*Modulus \(\d+ bit\):\n'. + if (!preg_match('/^\s*Modulus:\n'. '((?:\s*[0-9a-f][0-9a-f]:(?:\n)?)+[0-9a-f][0-9a-f])$/m', $text, $modulus)) { | ||||
Reviewed by | Ted, BenBE | ||||
Test Instructions | |||||
|
I have looked over the patch and created a git commit from it as it seemed sane to me. The commit is available here: https://github.com/yellowant/cacert-devel/commits/bug-1297 |
|
Applied on testserver, but needs a rebuilt of the chroot to be fully working. |
|
The chroot on test.cacert.org aka cacert1.it-sls.de has been rebuilt to Debian Wheezy on August 9, 2014 around 12:00 CEST. |
|
Tests performed: 1. request client certificate, SHA-512, medium grade: "The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki" => OK 2. request client certificate, SHA-512, high grade: Works => OK 3. request client certificate, SHA-256, high grade: Works => OK 4. request server certificate, 1024-bit key: "The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki" => OK 5. request server certificate, 2048-bit key: Works => OK All tests succeeded. |
|
Reviewed fa3a17789986431c15dac26c43a8100ee7e8d0d4 vs. 061fec271f164c0efb356d98b5b4f640ed3c6c2f The only changed file is includes/lib/check_weak_key.php Verified different output of OpenSSL versions 0.9.8 and 1.0.1 by using openssl x509 -noout -text on a certificate file Code changes match changes in OpenSSL output. Review is PASSED. |
|
1. Client cert 2048-bit-spkac (High Grade) random: --> Works => OK 2. Client cert 1024-bit-spkac (Medium Grade) random: --> key size too small => OK 3. Client cert 4096-bit-CSR random: --> Works => OK 4. Client cert 1024-bit-CSR random: --> key size too small => OK 5. Orga-server-cert 1024-bit-CSR: --> key size too small => OK 6. Orga-server-cert 4096-bit-CSR: --> Works => OK ==> Test PASSED |
|
The patch has been installed on the production server on August 28, 2014, immediately after upgrading the CAcert chroot application environment to Debian Wheezy. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2014-08/msg00019.html https://lists.cacert.org/wws/arc/cacert-systemlog/2014-08/msg00020.html |
Date Modified | Username | Field | Change |
---|---|---|---|
2014-08-07 15:49 | wytze | New Issue | |
2014-08-07 15:49 | wytze | File Added: check_weak_key.php.patch | |
2014-08-08 16:55 | BenBE | Assigned To | => felixd |
2014-08-08 16:55 | BenBE | Status | new => needs work |
2014-08-08 23:30 | felixd | Note Added: 0004923 | |
2014-08-08 23:55 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable 61da9da5 |
2014-08-08 23:55 | felixd | Source_changeset_attached | => cacert-devel testserver-stable 061fec27 |
2014-08-09 00:11 | BenBE | Reviewed by | => BenBE |
2014-08-09 00:11 | BenBE | Note Added: 0004926 | |
2014-08-09 00:11 | BenBE | Assigned To | felixd => NEOatNHNG |
2014-08-09 00:11 | BenBE | Status | needs work => needs review & testing |
2014-08-09 00:12 | BenBE | Note Edited: 0004926 | |
2014-08-09 10:08 | wytze | Note Added: 0004930 | |
2014-08-09 10:55 | wytze | Note Added: 0004933 | |
2014-08-15 18:33 | Ted | Note Added: 0004945 | |
2014-08-15 18:34 | Ted | Reviewed by | BenBE => Ted, BenBE |
2014-08-15 18:34 | Ted | Status | needs review & testing => needs testing |
2014-08-16 13:43 | felixd | Note Added: 0004951 | |
2014-08-18 05:36 | BenBE | Assigned To | NEOatNHNG => BenBE |
2014-08-18 05:36 | BenBE | Status | needs testing => ready to deploy |
2014-08-28 07:25 | BenBE | Source_changeset_attached | => cacert-devel release f7509bc9 |
2014-08-28 15:22 | wytze | Note Added: 0004982 | |
2014-08-28 15:22 | wytze | Status | ready to deploy => solved? |
2014-08-28 15:22 | wytze | Fixed in Version | => 2014 Q3 |
2014-08-28 15:22 | wytze | Resolution | open => fixed |
2014-12-02 22:48 | INOPIAE | Status | solved? => closed |