[Bug 894783] New: CA management: Sign Request: Don't use sequential serial numbers
https://bugzilla.novell.com/show_bug.cgi?id=894783 https://bugzilla.novell.com/show_bug.cgi?id=894783#c0 Summary: CA management: Sign Request: Don't use sequential serial numbers Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: All OS/Version: All Status: NEW Severity: Enhancement Priority: P5 - None Component: YaST2 AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: Ulrich.Windl@rz.uni-regensburg.de QAContact: jsrain@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 (In openssl tradition certificates use sequential serial numbers) YaST's certificate signing function uses sequential serial numbers to issue (sign) certificates (like 01, 02, 03, ... 09, 0A, 0B, ...) Due to some weaknesses in SHA-1, there's a recommendation to use serial numbers with a higher entropy. See https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/ElekSignatur/BSI_SHA1_Ze... (German): ---BEGIN quote--- Kollisionsangriffe gegen die Zertifikaterstellung mit SHA-1 können von vornherein verhindert werden, wenn folgendes gilt: 1) Es wird das X.509v3 Format gemäß ISIS-MTT verwendet. 2) Die Seriennummer ("serialNumber") des Zertifikats hat eine genügend hohe Entropie h für den Angreifer. D.h. die Unsicherheit des Angreifers über die Seriennummer eines zu erstellenden Zertifikats ist mindestens h Bits. (...) ---END quote--- Reproducible: Always Steps to Reproduce: 1. Sign a certificate request (CSR) in YaST's CA management Actual Results: The certificate gets a serial number that can easily be guessed Expected Results: The serial number should not be easy to guess See also http://www.heise.de/security/meldung/Fragwuerdige-Hash-Funktion-SHA-1-immer-... (German) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=894783 https://bugzilla.novell.com/show_bug.cgi?id=894783#c1 Bernhard Wiedemann <bwiedemann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bwiedemann@suse.com, | |meissner@suse.com AssignedTo|bnc-team-screening@forge.pr |mc@suse.com |ovo.novell.com | --- Comment #1 from Bernhard Wiedemann <bwiedemann@suse.com> 2014-09-07 14:03:05 CEST --- IMHO, it would be easier+better to switch to another hash function instead -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=894783 https://bugzilla.novell.com/show_bug.cgi?id=894783#c2 --- Comment #2 from Marcus Meissner <meissner@suse.com> 2014-09-07 15:52:36 UTC --- yes, sha1 should not be used here anymore, sha256 seems to be current mostly used function -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=894783 https://bugzilla.novell.com/show_bug.cgi?id=894783#c3 Michael Calmer <mc@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #3 from Michael Calmer <mc@suse.com> 2014-09-09 10:52:22 CEST --- openSUSE 13.2 uses sha256 by default. But I will not fix it for this old openSUSE version. So closed as wontfix (for this version) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=894783 http://bugzilla.novell.com/show_bug.cgi?id=894783#c6 Michael Calmer <mc@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution|--- |WONTFIX --- Comment #6 from Michael Calmer <mc@suse.com> --- Dropped. Will not be changed for old versions. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=894783 http://bugzilla.novell.com/show_bug.cgi?id=894783#c7 --- Comment #7 from Michael Calmer <mc@suse.com> --- Dropped. Will not be changed for old versions. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com